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Preface 



This volume contains papers selected for presentation at the 2004 Annual Confer- 
ence of the European Association for Computer Science Logic, held on September 
20-24, 2004 in Karpacz, Poland. 

The CSL conference series started as the International Workshops on Com- 
puter Science Logic, and then, after five meetings, became the Annual Conference 
of the European Association for Computer Science Logic. This conference was 
the 18th meeting, and the 13th EACSL conference. 

Altogether 99 abstracts were submitted, followed by 88 papers. Each of these 
papers was refereed by at least three reviewers. Then, after a two-week electronic 
discussion, the Programme Committee selected 33 papers for presentation at the 
conference. Apart from the contributed papers, the Committee invited lectures 
from Albert Atserias, Martin Hyland, Dale Miller, Ken McMillan and Pawel 
Urzyczyn. 

We would like to thank all PC members and the subreferees for their excellent 
work. 

The electronic PC meeting would not be possible without good software 
support. We decided to use the GNU CyberChair system, created by Richard 
van de Stadt, and we are happy with this decision. We also would like to thank 
Michal Moskal who installed and ran CyberChair for us. Finally, we would like 
to thank ToMasz Wierzbicki, who helped with the preparation of this volume. 

We gratefully acknowledge financial support for the conference received from 
the Polish Committee for Scientific Research, and Wroclaw University. 
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Notions of Average-Case Complexity for Random 3-SAT 



Albert Atserias* 

Universitat Politecnica de Catalunya, Barcelona, Spain 



Abstract. By viewing random 3-SAT as a distributional problem, we go over some 
of the notions of average-case complexity that were considered in the literature. 
We note that for dense formulas the problem is polynomial-time on average in 
the sense of Levin. For sparse formulas the question remains widely open despite 
several recent attempts. 



1 Introduction 

The satisfiability problem for propositional logic is central to computational complexity. 
The work of Cook [2] showed that the problem is NP-complete, even when restricted 
to 3 -CNF formulas, and is thus hard in the worst-case unless P = NP. Later on, the 
optimization versions of 3-SAT were also considered and showed hard. Namely, Hastad 
[4] culminated the monumental work of the 1990s on PCPs by showing that the number of 
clauses that can be satisfied simultaneously in a 3-CNF formula cannot be approximated 
within a ratio better than 7/8 in polynomial-time, unless P = NP. The current decade is 
perhaps time for studying the average-case complexity of 3-SAT. Is it hard on average 
as well, unless P = NP, or is it easier? 

The program comes also motivated from the fact that a fairly natural probability dis- 
tribution on 3-CNF formulas has attracted the attention of many different communities, 
from AI to statistical physics, through combinatorics and mathematical logic. Our aim 
here is to review the background for a complexity-theoretic approach to the average-case 
complexity of random 3-SAT. In this short note we focus on the different definitions of 
average-case complexity that were introduced in the literature and their relationship. 
In the talk we will overview some of the partial results towards settling the main open 
questions. 



2 Notions of Average Case Complexity 

For every n > 0, let /„ : {0, 1}" ^ {0, 1} be a Boolean function. In order to simplify 
notation, we will use / instead of /„, and we will write / = /« to emphasize the fact 
that / is actually a sequence of functions parameterized by n. It will be understood 
from context that / denotes the sequence of functions {/«} in some cases, and the 
particular function /„ in others. We adopt the framework of ensemble of distributions 
suggested by Impagliazzo [5], where a different probability distribution is considered 



* Supported in part by CIC YT TIC200 1-1577 -C03-02 and the Future and Emerging Technologies 
programme of the EU under contract number IST-99-14186 (ALCOM-FT). 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 1-5, 2004. 
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for each input size. So let /i = be a probability distribution on {0, 1}". We should 
think of /i as a sequence of distributions, one for each n > 0. The pair (/, /i) is called a 
distributional problem. Informally, the problem reads as follows: given a random input 
X G {0, 1}" drawn according to distribution pn, compute fn{x). 

Levin’s Average Case. Let (/, p) be a distributional problem. Consider an algorithm 
A computing /, and let T = T„ : {0,1}" ^ N be its running time on inputs of 
length n. What should it mean that the running time T of A be polynomial on average 
with respect to pi The obvious immediate candidate definition would be this: there 
exists a fc > 1 such that E^[T] = 0{nA) where denotes expectation with respect 
to p. Unfortunately, this simple definition suffers from a serious problem: the class 
of functions that are polynomial on average under this definition is not closed under 
polynomial images. Indeed, if we let p be the uniform distribution on {0, 1}", and let 
T be such that T{x) = n for all but one string xq in {0, 1}" for which T(xq) = 2", 
then E^[T] = 0(n) while E^[T^] = 17(2"). This lack of robustness would spoil any 
attempt to build a theory of polynomial reducibilities among distributional problems. A 
satisfactory remedy to this was discovered by Levin and reformulated by Impagliazzo 
for ensembles of distributions: we say that T is polynomial on average with respect 
to p if there exists a fc > 1 such that E^[T^/^] = 0{n). It is now immediate from 
this definition that the class of functions that is polynomial on average is closed under 
polynomial functions. We say that a distributional problem {f,p) has a polynomial- 
time on average algorithm if there exists an algorithm A for / whose running time is 
polynomial on average with respect to p. 

Impagliazzo’s Benign Algorithms. Let f = : {0, 1}" ^ {0, 1} be a Boolean 

function. A prudent algorithm for / is one that, for every input x G {0,1}", outputs 
either f{x) or ?. We should think of ? as a “don’t know answer”. Clearly, a prudent 
algorithm is useful only if it rarely outputs ?. We say that a distributional problem (/, p) 
has a polynomial-time benign algorithm if there exists a prudent algorithm A{x, S) for 
/ that is polynomial-time in |x| and \/b, and such that Pr^[A(a;, ^) = ?] < 5 where 
Pr^ denotes probability with respect to p. The last clause of this definition formalizes 
the idea that the algorithm “rarely outputs ?”. 

Impagliazzo [5] showed that the two notions introduced so far coincide, from which 
we conclude that the concept is fairly robust. We reproduce the proof since it is infor- 
mative. 

Theorem 1 (Impagliazzo). Let (/, p) be a distributional problem. Then, the following 
are equivalent: 

1. (/, p) has a polynomial-time on average algorithm. 

2. (/, p) has a polynomial-time benign algorithm. 

Proof'. We start by 1. implies 2.: Let < cn. By Markov’s inequality, we have 

Pr^[T(a;) > (ten)*] < 1 /t. Thus, for building a benign algorithm, it suffices to run the 
polynomial-time on average algorithm for (cn/^)* steps, and if it does not terminate, 
output ?. Next we show that 2. implies L: Suppose the benign algorithm runs in {n/6f 
steps. Run the benign algorithm with parameter 5=1/2, 1 /4, 1/8, ... until an output 
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different from ? is returned. Then, the expectation of the 2/c-th root of the running time 
of this algorithm is bounded by ( 2 n)^/^ + l/2(4n)^/^ + l/4(8n)^/^ + • • • = 
since at most 1/2 of the inputs return ? in the first round, at most 1/4 in the second 
round, and so on. □ 

Certification Algorithms. Let (/, /i) be a distributional problem. A sound algorithm for 
/ is one that, for every input x C {0, 1}", if it outputs 1, then indeed f{x) = 1. Clearly, a 
sound algorithm A is useful only if it outputs 1 on a large fraction of the “yes” instances, in 
other words, only if I Pr^[/(x) = 1]— Pr^[A(x) = 1] | is small. In such cases we say that 
it is almost complete. We say that a distributional problem (/, p) has a polynomial-time 
certification algorithm if there exists a sound algorithm A{x, 6) for / that is polynomial 
in |x| and 1/^, and such that | Pr^[/(x) = 1] — Pr^[A(x) = 1] | < 5. The last clause of 
this dehnition formalizes the idea of almost completeness. The relationship is now very 
easy to see: 

Lemma 1. Let (/, p) be a distributional problem. Then, if{f, p) has a polynomial-time 
benign algorithm, then (/, p) has a polynomial-time certification algorithm. 

Proof'. Let A{x, 6) be the benign algorithm. Consider the following algorithm B{x, 6): 
run the benign algorithm A{x, 6), and if it outputs ?, output 0. Clearly, B{x, 6) is sound. 
Moreover, by soundness, we have | Pr^[/(x) = 1] — Pr^[B(x, 5) = 1]| = Pr^[/(x) 7 ^ 
B{x, ^)] which in turn is bounded by Vr^\A{x, ^) = ?] < 5. □ 

If we put Theorem 1 and Lemma 1 together we see that if (/, p) has a polynomial- 
time on average algorithm, then (/, p) has a polynomial-time certification algorithm. 
In the contrapositive form, if (/, p) is hard to certify, then (/, p) is hard on average. 
Although we do not know whether the converse relationship holds in general, we note 
in the next section that it holds for the particular case of random 3-SAT. 



3 Random 3-SAT 

Let xi, . . . , x„ be n propositional variables. A literal is a variable or its negation. A 
3-clause is a tuple of three literals. A 3-CNF formula is a set of 3-clauses. Note that 
the number of 3-clauses is exactly (2n)^. Thus, a 3-CNF formula can be encoded by a 
binary string of length (2n)^ denoting which clauses are present and which are not. 

There are several probability distributions that have been considered in the literature. 
The one we adopt here is inspired from the theory of random graphs. The distribution 
p = Pn is, parameterized by a real number p = in ( 0 , 1 ) and consists in choos- 
ing each clause with independent probability p. This probability model is sometimes 
referred to as the model A. The model B considers the number of clauses m as hxed 
and chooses the formula uniformly within that set. Both these models have several vari- 
ants according to whether clauses are ordered tuples or sets, and may, or may not, have 
repeated and complementary literals. As in the random graph model, which model to 
use is often a matter of convenience, and rarely an important issue as far as the results 
are concerned. 
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We are interested in the distributional problem {UNSAT,ii), where UNSAT = 
UNSATn is simply the unsatisfiability problem on 3-CNF formulas with n variables, 
and /r = /i„ is the probability distribution that we just described. Notice that here n is 
not exactly the length of the input, but it is polynomially related. Notice also that p is 
parameterized by p = p„, and the complexity of the distributional problem may very 
well depend on p. As a matter of fact, when p is large, it can be seen that {U NS AT, p) 
has a benign polynomial-time algorithm. Before proving that, we first show that for 
all values of p that guarantee unsatisfiability of a random formula with overwhelming 
probability, the three notions of average-case complexity considered so far coincide. 

Theorem 2. Letp > (In 2 -I- e)l'nS', with e > 0. Then, the following are equivalent: 

1. {UN SAT, p) has a polynomial-time on average algorithm. 

2. {UN SAT, p) has a polynomial-time benign algorithm. 

3. {UN SAT, p) has a polynomial-time certification algorithm. 

Proof'. By Theorem 1 and Lemma 1, it suffices to show that 3. implies 1. Let A{x, 6) be 
the certification algorithm. Assume its running time is {n/6)^ . Consider the following 
algorithm. Run the certification algorithm with parameter 6 = 1/2, 1/4, 1/8, .. . until 
either “unsatisfiable” is returned, in which case we return “unsatisfiable” as well, or 
the parameter becomes smaller than 2 “", in which case we run through all 2 " truth 
assignments to check whether F is satisfiable or not. By soundness of the certification 
algorithm, it is clear that this algorithm is correct. Let us estimate the expectation of the 
r-th root of its running time for a constant r to be determined later. 

When p> (In 2 -f e) /n^, the probability that a random formula is satisfiable is 2“^" 
for some consfant 7 > 0, as it is easy to see. Let us consider the set of “satisfiable” 
instances. For those instances, the running time of the algorithm can only be bounded 
by 

n 

Y^{2^nf + 2 "” 

for some constant c > 1, which is time 2^^*^" for some other constant d> c. Hence, the 
“satisfiable” insfances contribute to the expectation of the r-th root of the running time 
by at most Let us now turn to the contribution to the expectation of the 

“unsatisfiable” instances. The expectation of the r-th root of the running time for those 
instances is bounded by 

(2n)'^/’' -f 2-i(4n)'=/’' -f 2-2(8n)'=/’’ -f • • • -f 2-”+^(2”n)'=/’' -f 2-"(2"”)i/’’ 

since at most 1/2 of the “unsatisfiable” instances miss the first round, at most 1/4 of 
those miss the second round, and so on, until at most 1 / 2 " of the instances miss all 
rounds in which case the algorithm goes on to cycle through all 2 " truth assignments in 
time 2'^". It is now straightforward to see that if we take r large enough, say r > dk/^, 
then the total expectation of the r-root of the running time is 0 (n). □ 

In general, the proof technique of this result applies to any distributional problem for 
which the “no” instances represent a fraction that is inversely polynomial with respect 
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to the worst-case running time that it is required to solve the problem. Let us conclude 
this paper with the promised benign algorithm when p is large. The reader will notice 
that the proof below resembles the arguments in [ 1 ]. 

Theorem 3. Let p = w(l/n). Then {UNSAT, p) has a polynomial-time benign algo- 
rithm. 

Proof Sketch: Consider the following algorithm. Let F be the input 3 -CNF formula and 
let 6 be the error parameter. Let 7 > 0 be a small constant to be determined later. If 
6 < 2“"''", simply run through all 2" truth assignments to check whether F is satishable 
or not. If ^ > 2“’’'", hnd the most popular variable x in F. Consider the set of 2-clauses 
inF|a;=o andF|a;=i, and run a polynomial-time 2-S AT algorithm on the resulting 2-CNF 
formulas. If both are unsatisfiable, report “unsatisfiable”. Otherwise, output ?. 

It should be clear from its definition that the algorithm is prudent. It is also clear that 
the running time of the algorithm is polynomial in n and \/6. Indeed, when 6 < 2“'*^”, 
the running time is 2 *^^"^ which is polynomial in 1 /6, and in the other case the running 
time is polynomial in n. Let us argue that the probability that it outputs ? is smaller than 
6. When b <2 , the algorithm never outputs ?. So let us assume that ^ > 2 

Each variable appears in 0{nf) clauses. Hence, the expected number of occurrences of 
each variable is 0{n?p), which is oj{n) since p = w(l/n). It follows from concentration 
bounds that the probability that a particular variable appears less than half this number of 
times is . Thus, by Markov’s inequality, the probability that some variable appears 

w(n) times is at least 1 — The number of 2-clauses in F\x=o and is thus 

uj{n) with at least that much probability. Moreover, the resulting 2-CNF formulas are 
random, so the probability that one of them is satishable is bounded by as is 

well-known. All in all, the probability that the algorithm does not report “unsatishable” 
is bounded by Thus, the probability that the algorithm outputs ? is bounded by 

6 since 6 > 2“'*^". Here 7 is chosen to be the hidden constant in the bound. □ 

It follows from this result and Theorem 1 that when p = uj{l/n), the distributional 
problem {U NS AT, p) is solvable in polynomial-time on average in the sense of Levin. 
For p = recent work has focused on certihcation algorithms [3]. For 

p = 0{l/nf), the problem is widely open. 
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Abstract Interpretation of Proofs: Classical 
Propositional Calculus 



Martin Hyland 

DPMMS, Centre for Mathematical Sciences, 
University of Cambridge, England 



Abstract. Representative abstract interpretations of the proof theory 
of the classical propositional calculus are described. These provide in- 
variants for proofs in the sequent calculus. The results of calculations in 
simple cases are given and briefly discussed. 

Keywords: classical propositional calculus, proof theory, category the- 
ory. 



1 Introduction 

I. 1 Background 

The Curry-Howard isomorphism suugests the connection between proofs in intu- 
itionistic propositional logic, simply typed lambda calculus and cartesian closed 
categories. This set of ideas provides a context in which constructive proofs can 
be analysed in a direct fashion. For a treatment in which the category theoretic 
aspect does not dominate see [13]. By contrast analyses of classical proof the- 
ory tend to be indirect: typically one reduces to the contructive case via some 
form of double-negation translation. (Of course there is also work constructing 
measures of complexity of classical proofs, but that is not a structural analysis 
in the sense that there is one for constructive proofs.) 

In [16], I sketched a proposal to analyse classical proofs in a direct fashion with 
the intention inter alia of providing some kind of Curry-Howard isomorphism for 
classical proof. This is currently the focus of an EPSRC project with principals 
Hyland (Cambridge), Pym (Bath) and Robinson (Queen Mary). Developments 
have been interesting. While we still lack natural mathematical semantics for an 
analysis along the lines of [16], the flaws in the detail proposed there are now 
ironed out (see [1]). The proof net proposal of Robinson [30] was a response to 
the difficulties of that approach; it has been considered in depth by Fiirhmann 
and Pym [11]. This leads to more familiar semantics and we have a clear idea as 
to how this resulting semantics departs from the conception of proof embodied 
in the sequent calculus. But we are far from understanding the full picture. 

One motivation for the project on classical proof was a desire for a systematic 
approach to the idea of invariants of proofs more flexible than that of complexity 
analyses. In this paper I try further to support this basic project by describing 
two abstract interpretations of the classical propositional calculus. One should 
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regard these as akin to the abstract interpretations used in strictness analysis. 
The point is to define and compute interesting invariants of proofs. The abstract 
interpretations considered here are intended to be degenerate in the same way 
that the (so-called) relational model is a degenerate model of Linear Logic. There 
the tensor and par of linear logic are identified; our abstract interpretations 
identify classical conjunction and disjunction. (The notion of degenerate model 
for Linear Logic is discussed at greater length in [19].) 

In joint work with Power I have tried to put the theory of abstract inter- 
pretations on a sound footing. That involves categorical logic of a kind familiar 
to rather few, so here I leave that aside and simply consider some case stud- 
ies in the hope of provoking interest. These cases studied can be regarded as 
representative: they arise from free constructions of two different kinds. I give 
some calculations (in a bit of a rush - I hope they are right) but do not take 
the analysis very far. A systematic study even of the interpretations given here 
would be a major undertaking; but the calculations complement those in [12] 
which are for special cases of the second class of interpretations considered here. 

One should observe that in this paper I get nowhere near the complexities 
considered by Carbone in [4], [5] and [6]. Carbone’s work can also be regarded 
as a study of abstract interpretations: it is nearest to being a precursor of the 
approach taken here. 

I hope that by and large the notation of the paper will seem standard. How- 
ever I follow some computer science communities by using diagrammatic mota- 
tion for composition: 

/ : A — > B and g : B — > C 

compose to give 

f-g-.A^C. 



1.2 Abstract Interpretations 

We start with some general considerations concerning the semantics of proofs in 
the sequent calculus for the classical propositional calculus. The basic idea, which 
goes back to Szabo, is to take the CUT rule as giving the associative composition 
in some polycategory. If we simplify (essentially requiring representability of 
polymaps) along the Fiirhmann-Pym- Robinson lines we get the following. 

Definition 1. model of classical propositional proof satisfying the Fiirhmann- 
Pym-Robinson equations , , , , , 

* , C 

T . ' 

, j- 

- , ^ \ A C 






V. 



A . C 
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(, T ' , 
a; 

v; 



There are further categorical nuances which we do not discuss here. 

The interpretation of classical proofs in such a structure is a straightforward 
extension of the interpretation of multiplicative linear proofs in a ^-autonomous 
category. The algebraic structure deals with the structural rules of the sequent 
calculus. The several requirements added are natural simplifying assumptions. 
They do not really have much proof theoretic justification as things stand. 

As indicated above we take a notion of abstract interpretation which arises 
by the identification of the conjunction A and disjunction V. 

Definition 2. ^ abstract interpretation of classical proof 

t: I,d-. A® A ^ 

— ^ e : I ^ A, m : A ® A ^ A ^ ^ 



, - 

- , - , , ' - , - - . ' (-)* 

One should note that the optical graphs of Carbone [4] are in effect abstract 
interpretations, but in a more general sense than that considered here. 

We gloss the definition a little. According to it, each object is equipped with 
commutative monoid structure to model the structural rules for V and with 
commutative comonoid structure to model the structural rules for A. Naturally 
we expect the structural rules to be interchanged by the duality (— )*. Modulo 
natural identifications we have 

(tA)* = eA :I^A*, {eA)*=tA : A* ^ I , 

{d,A)* = mA : A* ®A* ^ A* , (mA)* = (1 a : A* ^ A* ® A* . 

In addition we ask that the structure be compatible with the monoidal struc- 
ture. This means first that I should have the expected structure 

ti = idi : I ^ I , di = Ij = f I : I ^ I ® I , 

6/ = id/ : I ^ I , mi = Ij = rj : I ® I ^ I , 

derived from the unit structure 

Ia - I ® A^ Ata ■■ A® I ^ A 
lA'A^I®ArA'A^A®I 
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for the tensor unit I . In addition it means that the structures are preserved by 
tensor: that is, modulo associativities we have 

dAt^B = dA® ds] id^ ® CA,B ® ids : A® B ^ A® B ® A® B , 
rriA0B = idA ® ca,b ® ids; bia ® ms \ A® B ® A® B ^ A® B . 

For the moment it is best to regard these requirements as being justified by 
the models which we are able to give. 

1.3 Strictness 

Any honest consideration of categorical structure should address questions of 
strictness. In particular one has the distinction between functors preserving 
structure on the nose and functors preserving structure up to (coherent) natural 
isomorphism. A setting in which such issues can be dealt with precisely is laid 
out in [2] . The only issue which need concern us here is that of the strictness of 
the structure in our definition of abstract interpretation. 

We shall largely deal with structures freely generated by some data. So it 
will be simplest for us to take the monoidal structure to be strictly associative. 
Similarly we shall be able to take the duality to be strictly involutive so that 

{f:A^B)** = {f:A^B) 
and to respect the monoidal structure, so that on objects 
I* = I and (A (g) B)* = B* ® A* 

on the nose, and similarly for maps. Note further that duality in a compact 
closed category provides adjunctions for all the 1-cells of the corresponding one 
object bicategory. That is very much choice of structure: so for us every object 
A is equipped with a left (say) dual A* with explicit unit and counit 

I — > A® A* and A* ® A — > I . 

This is all as explained in [21]. But one should go further: in general there 
should be natural coherence diagrams connecting the adjunction for A® B with 
the adjunctions for A and B. (In a sense these conditions parallel the assumption 
that the comonoid and monoid structures are preserved under tensor product. 
The relevent coherence theorem extending [21] is not in principle hard, but we 
do not need it here.) 

For the purposes of this paper one can take the definition of abstract in- 
terpretation in the strict sense indicated. But not much depends on that: the 
critical issue for the background theory is simply that the notion is given by 
algebraic structure over Cat in the sense of [22]. A reader to whom all this is 
foreign should still understand the examples. 
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1.4 Miscellaneous Examples 

Before turning to the interpretations which are our chief concern, we give a few 
natural examples of abstract interpretations. For this section we ignore strictness 
issues. 

1. Consider the category Rel of sets and relations equipped with the set the- 
oretic product X as tensor product. Rel is compact closed; it is contained 
in the compact closed core of SupLat the category of complete lattices and 
sup-preserving maps. The duality is 

(_)* 

in particular is the identity on objects. For each object A G Rel there is 
a natural choice of commutative comonoid structure arising from product 
in Set. By duality that gives a choice of commutative monoid structure on 
all objects, and by definition the structures are interchanged by the duality. 
This gives a simple abstract interpretation. 

2. We can extend the above example to one fundamental to Winskel’s Domain 
Theory for Concurrency (see [27] for example). Following [27] write Lin (af- 
ter Linear Logic) for the category with objects preordered sets and maps 
profunctors between them. We can regard this also as being within the com- 
pact closed core of SupLatt. We equip the preordered set P with comonoid 
structure via the counit 



tp : P ► 1 tp(a,*) = true 



and the comultiplication 



dp : P ►PxP dp(a, (6, c)) = a > 6anda > c, 

extending the definition for Rel. The duality is 

(_)♦ : (P Q) (Q°p E:Z P°p) 

and this is no longer the identity on objects. The duality induces the monoid 
structure from the comonoid structure so the structures are automatically 
interchanged by duality. 

3. Let FVec be the category of finite dimensional fc-vector spaces (and ^-linear 
maps) for a field fc. A , . ,r . is an object A of FVec equipped 

with the structure 

t : A^ I, d-. A ^ A® A 



of a commutative comonoid and the structure 
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of a commutative monoid, satisfying the equations 

SA', tA = id/ 
m,A; tA = tA® tA] mi 
eA]dA = di;eA®eA 

mA] dA = dA® dA] id^ ® ca,a ® id^i; mA ® mA 

(Hopf algebras (that is, bialgebras with antipode) are amongst the staples 
of representation theory. There is a plentiful supply of such: the standard 
group algebra kG of a finite group G is a Hopf algebra.) If we take the cate- 
gory whose objects are bialgebras, with maps linear maps of the underlying 
vector spaces, we get an abstract interpretation in our sense. 



2 Probenius Algebras 

2.1 Probenius Abstract Interpretations 

Definition 3. commutative Probenius algebra ^ ^ 

A . ^ A,t : I,d ■. A ^ A® A ^ , 

/ - / A, e : I ^ A, m : A ® A ^ A ^ , 



A® d;m® A = m;d = d ® A; A® m . 



Note that an algebra is a module over itself (on the left and on the right), 
and a coalgebra a comodule over itself (again on both sides). We can write the 
Probenius equations in diagrams as 



d® A A®d 

A® A® A A® A ► A® A® A 



A®m\ 



m 



\M ®A 



A® A 



A 



A® A 



and we see that they say that d is a map of right and left modules. Equivalently 
(and by symmetry) they say that m is a map of right and left comodules. 

In mathematics algebras with a Probenius structure have played a role in 
representation theory for a century, certainly since Probenius [10]. The condition 
is explicitly identified in work of T. Nakayama and C. Nesbitt from the late 1930s. 
Sources for this early history are mentioned in [23]. An important conceptual 
understanding of the Probenius condition or structure was suggested by Lawvere 
[24]. 



Definition 4. 



Probenius , ,, 
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We note that for an object A in Rel one readily calculates that 
A® d',m® A = m-,d = d® A-, A® m 

is the relation A x A ^ A x A identifying equal elements of the diagonal. So 
Rel is a Frobenius abstract interpretation. In view of remarks below, one could 
regard this as explaining why the objects in Rel are self-dual! One the other 
hand it is easy to see that the Frobenius condition fails for Lin. This is related 
to the fact that we do not generally have P°^ = P for posets P. 

Since the comonoid structure of a Frobenius algebra is not natural with re- 
spect to the monoid structure (and dually not vice-versa either), we are not deal- 
ing with a commutative sketch in the sense of [17]: rather one needs the more 
general theory of [18]. As a consequence the identification of the free Frobenius 
algebra, given in the next section, is non-trivial. However a simplifying feature 
of Frobenius algebras is that they carry their own duality with them. In fact 
Frobenius algebras are self dual: one has the unit 

/ — ► A ^ A® A, 



and the counit 



A® A 



ruA 



A 



tA 



I. 



By straightforward calculation one has 



(ca; dA) ® id^; idA 0 (toa; tA) = e® id^; d ® id^; id^ <8> m; id^ <8> t 

= e® id^; m; d; id^ ® t 
= id a; id A = id A 



giving one of the triangle identities; And symmetrically one has 
idA 0 (ca; dA); {ruA; tA) ® idA 

which is the other. This shows that in any symmetric monoidal closed category 
the Frobenius objects live in the compact closed core. Moreover it is easy to see 
that the intrinsic duality interchanges the comonoid and monoid structures on 
a Frobenius algebra. So the abstract interpretation aspect is also automatic. So 
overall to give abstract interpretations it suffices to find Frobenius algebras in 
some symmetric monoidal closed category. 



2.2 The Ftee Ftobenius Algebra 

In recent times the study of Frobenius algebras has become compelling following 
the identification of 2-dimensional Topological Quantum Field Theories (TQFT) 
with commutative Frobenius algebras [9]. A readable intuitive explanation is 
given in [23]. In essence this arises from an identification of the free symmetric 
monoidal category generated by a Frobenius algebra. We state this in the cus- 
tomary rough and ready way: though we make some of the ideas more precise 
in a moment, there is a limit to what it is useful to do here. 
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Proposition 1. 



. n ' 1 ,’^ > I ) I ■ I ■ I I ■ 

> I I I I ‘ I ‘ I -II- - 'I 

I I -I I I , ‘ I I I I - ■ / ' ; ■ ^ ; ; / / / 

,■ I 'I ''' 1 1 I I ' I I - ■ I I I I ' I ■ ' ' I ■ >' I n + m. 

To make things more precise, we might as well engage at once with the 
strict version of the above. In that view the free symmetric monoidal category 
generated by a Frobenius algebra has objects 

0, 1, 2, ... ,n, ... 

which should be regarded as representatives of finite sets. The maps from n to 
m are determined by an equivalence relation on n + m, which one can think of 
as giving connected components topologically, together with an association to 
each of these connected components of a natural number (the genus). 

Dijkgraaf’s identification of two-dimensional TQFT has been independentally 
established more or less precisely by a number of people. I not unnaturally like 
the account in Carmody [7] which already stresses the wiring diagrams in the 
sense of [17] and [18], as well as rewriting in the style of the identification of 
the simplicial category by generators and relations [26] . We shall show that the 
TQFT aspect of Frobenius algebras runs parallel to a simple topological idea of 
abstract interpretation. 

2.3 Representative Calculations 

We consider here the obvious interpretation of classical proofs in the symmetric 
monoidal category generated by a Frobenius algebra. In this interpretation all 
atomic propositions are interpreted by the generating Frobenius algebra, so are 
not distinguished. Also the interpretation is not sensitive to negation. Despite 
that the intrepretation does detect some structural features of proofs. We already 
explained the data for a map in the free symmetric monoidal category generated 
by a Frobenius algebra: it consists of a collection of connected components and 
a genus attached to each. A proof tt in classical propositional logic gives rise to 
its interpretation V"(7 t) which is thus a map of this kind. One loses just a Ittle 
information if one considers only the invariants given by the homology 

Ho{tt) = Ho{V{t:),Q) and = Hi{V{t:),Q) 

of a proof TT. We set 

/io(7t) = dimiJo(7r) and /ii(7t) = dimiJi(7r) . 

Usually we ensure there will be just one connected component so that one 
loses no information in passing to homology: the invariant reduces to the genus 
usually written g = hi{Tr). 
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1. Proofs in MLL. The Frobenius algebra interpretation of proofs in Mul- 
tiplicative Linear Logic should be regarded as one of the fundamentals of 
the subject. For simplicity we follow [14] in dealing with a one-sided sequent 
calculus. 

— For an axiom 

we have 

ho{a) = 1 and hi{a) = 0. 

— For the A-R rule 

r,A A,B 
r,A,AAB 

we have 

/io(7t) = /io(t’‘i) + ^o(t’‘ 2 ) + 1 and hi(7r) = hi(7Ti) + hi(7T2) ■ 

— For the V-L rule 

h’" r,A,B 
r,AV B 

we have 

ho(7r) = ho(Tr') and ft-i(7r) = /ii(Tr') -|- 1 . 

The final claims need to be justified inductively using the fact that we 
always have one connected component, that is, we always have hg = 1. 

We deduce from the above that for a proof tt, in multiplicative linear 
logic, the genus counts the number of pars (that is for us occurences of V) in 
the conclusions. Thus the Frobenius algebra interpretation points towards 
the Danos-Regnier correctness criterion. (My student Richard Garner has 
given a full analysis along these lines.) 

2. Distributive Law. Perhaps the simplest interesting non-linear proofs are 
those of the distributive laws. Consider first the proof 

AhA BhB AhA ChC 
A,BhAAB A,ChAAC 
A,A,BVCh AaB,AaC 

a,bvci-aab,aac 

AA(BVCh (AAB)V (AaC) 

From the proof net one readily sees that one has hg = 1, that is one has 
one connected component, and that hi = 3. There are just two occurences 
of V, so a linear proof would have hi = 2. Thus the invariant does detect 
the non-linearity. 

I do not give here the most natural proof of the converse distributive law: 
{A A B) y {A A C) \- A A {By C). It seems necessarily more complex, in that 
the most obvious proof has hg = 1 but g = hi = 8. The proof does not just 



reverse. 
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3. The Natural Numbers. Recall that (up to /^Ty-equivalence) the construc- 
tive proofs of (A ^ A) (A A) correspond to the Church numerals in 
the lambda calculus. (Implicitly we should rewrite (A A) (A A) 
as (A A ^A) V {-^A V A); but there are obvious corresponding proofs.) Let 
7r„ be the proof given by the nth Church numeral A/, a;./"(a;). We compute 
the invariants for these proofs 7 t„. With just one conclusion we have forced 
ho{TTn) = 1) so we just look at the genus. The proof net picture immediately 
show us that /ii(7t„) = n -I- 1. So the invariant readily distingushes these 
proofs. 

Now consider what it is to compose proofs 7 t„ and with the proof 
M = Aa,6,/.a(6(/)) of 

{A A) (A A) , [A A) [A A) h (A A) (A A) 

corresponding to multiplication on the Church numerals. This gives a 
proof fj,\TTn\Trm with cuts. We compute the invariants for the interpretation 
C(/i|7r„|7rm) in our model. This is just an exercise in counting holes. Gener- 
ally we find that 



/lo(fiknkm) = 1 and hi{fx\Trn\TTm) = n + m . 

However the case n = m = 0 is special. We get 

ho{fj,\TTo\TTo) = 2 and /ii(^|7ro|7ro) = 1 . 

(Note that the Euler characteristic is consistent!) 

Of course if we reduce /i|7r„|7rm to normal form we get 7r„m with 

hoiTTnm) = 1 and /ii(7T„m) = nm + 1 . 

So the interpretation distinguishes proofs from their normal forms. The 
need to think this way about classical proof was stressed in [16]. 



3 Traced Monoidal Categories 

3.1 Background 

With our Frobenius Algebra interpretation we got the compact closed aspect 
of our abstract interpretation for free. For our second example we exploit a 
general method for contructing compact closed categories from traced monoidal 
categories. We recall the basic facts concerning traced monoidal categories. We 
do not need the subtleties of the braided case explained in the basic reference 
[20]. So for us a . , - , , . is a symmetric monoidal category 

equipped with a trace operation 
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satisfying elementary properties of feedback. A useful perspective and diagrams 
without the braidings in [20] is provided by Hasegawa [15]. It is a common- 
place amongst workers in Linear Logic that traced monoidal categories provide 
a backdrop to Girard’s Geometry of Interaction. 

If C is a traced monoidal category, then its integral completion Int(C) is 
defined as follows. 

— The objects of Int(C) are pairs (Aq, Ai) of objects of C. 

— Maps (Aq, Ai) ^ {Bq, Bi) in Int(C) are maps Aq G i?i ^ So G Ai of C. 

— Gomposition of / : (Aq, Ai) ^ (Sq, Si) and g : (Sq, Si) ^ (Co, Ci) is given 
by taking the trace tr((r; f ®g\T) of the composite oi f ® g with the obvious 
symmetries 

Ao G Cl G So G Si — ^ Aq G Si 0 Bq 0 Ci , 

and 

So G Ai <S) Co <8> Si — > Co <8> Ai ® Bq <S> Si . 

— Identities (Ao, Ai) ^ (Ao, Ai) are given by the identity AoGAi ^ AqG Ai. 
The basic result from [20] is the following. 

Theorem 1. ( ) , ^ ^ C ^ ' , Int(C) ^ 

f ) Int I ' . , ‘2. , , . 

3.2 Abstract Interpretations via Traces 

Suppose that we have a traced monoidal category C in which every object A is 
equipped with the structure of a commutative comonoid 

I^A^A®A 

and of a commutative monoid 

I — > A < — A® A. 

Consider the compact closed category Int(C). Given an object (Ao,Ai), we 
have maps 

(^o,^i) — given by Aq®!"^ I®Ai 

(Ao,Ai) — > (Ao G Ao, Ai (g) Ai) given by Ao G Ai (g> Ai Aq G Ao G Ai 

which clearly equip it with the structure of a commutative comonoid; and dually 
we have maps 

{1,1) — >(Ao,Ai) given by / G Ai ^ Ao G / 

(Ao G Ao, Ai (g) Ai) — >(Ao,Ai) given by Ao (g) Aq (g) Ai Aq (g) Ai (g) Ai 
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which equip it with the structure of a commutative monoid. These structures 
are manifestly interchanged (on the nose) by the duality. Thus such situations 
will always lead to abstract interpretations. 

3.3 Traced Categories with Biproducts 

We consider the special case where the tensor product in a traced monoidal 
category is a biproduct (see for example [25]). Under these circumstances one 
has a canonical choice of commutative comonoid and monoid structure, and so 
a natural abstract interpretation. 

We recall that a category C with biproducts is enriched in commutative 
monoids. More concretely each hom-set C{A,B) is equipped with the struc- 
ture of a commutative monoid (which we write additively) and composition is 
bilinear in that structure. It follows that for each object A its endomorphisms 
Endc(Tl) = C{A,A) has the structure of what is now called a rig, that is to say 
a (commutative) ring without negatives. One can explain in these terms what it 
is to equip a category with biproducts with a trace. Here we concentrate on the 
one object case, which is the only case considered in the main reference [3]. 

We recall the notion of Conway Algebra (essentially in Conway [8]) as artic- 
ulated in [3] 

Definition 5. ^ ^ r A , ^ ^ ^ 

(-)* : A — > B-a^a* 



(ab)* = 1-1- a{ba)*b 
(a + b)* = (a*b)*a* 



It is immediate that in a traced monoidal category C whose tensor product 
is a biproduct each Endc(^) is a Conway Algebra, the operation (— )* being 
given by 



a* = tr 



0 1 
1 a 



In the case of a category generated by a single object U, the requirement 
that Endc(U) be a Conway algebra is in fact sufficient. Generally one takes the 
trace of a map A®C — > B ®C given by the matrix 



a b 
c d 



with a G C{A,B), b G C{C,B), c G C{A,C) d G C{C,C) using the natural 
formula 
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So to identify the free traced monoidal category with biproducts on an object 
U it suffices to identify the free Conway algebra on no generators. 

Fortunately that is already known. In [8] Conway effectively identifies the 
elements of the free Conway algebra on no generators: the distinct elements are 
those of the form 

{n I n > 0} U I n, m > 1} U {!**}. 

The algebraic structure can be deduced from the following absorbtion rules. 

1 + ( 1 *)" = ( 1 *)" 

_j_ _j_ 

^ 

2* 

3.4 Representative Calculations 

The objects in the free traced monoidal category with biproducts generated by 
a single object are (as we had earlier) 

0, 1, 2, ... ,n, ... 

representatives of finite sets. But now the maps from n to m are given by m x n 
matrices with entries in the free Conway algebra just described. 

Taking Int gives us objects of the form (n, m) with n and m finite cardinals. 
We consider the interpretation which arises when each atomic proposition A is 
interpreted by the object (1,0) with therefore interpreted by (0, 1). Proofs 
7T will have interpretations V (tt) which will be suitably sized matrices as above. 

1. Proofs in MLL. The data in an interepretation of a proof in multiplicative 
linear logic is familiar. Again we follow [14] by considering only one sided 
sequents. Suppose we have \~^ F. There will be some number, n say, of 
occurences of atomic propositions (literals) and the same number of the 
corresponding negations. So F will be interpreted by the object (n, n), and tt 
by an n X n matrix. For MLL this matrix will always be a permutation matrix 
giving the information of the axiom links in tt. (Of course the permutation 
is just a construct of the order in which the literals and their negations are 
taken.) 

2. Distributive Laws. For simple proofs like those of the distributive laws 
the interpretation continues just to give information akin to that of axiom 
links. Consider first the proof of 

A A (B V C h (A A B) V (A A C) 

which we gave earlier. The interpretation is a map from (3,0 to (4,0), and 
so is given by a 4 x 3 matrix: it is 

/I 00\ 

0 1 0 

10 0 ■ 

\ooiJ 
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The natural proof of the converse distributive law, 

{AAB)V {A A C)h A A{B VC), 

may seem more complicated, but our current interpretation does not notice 
that. One gets 

/I 0 1 0\ 

0 10 0 , 

\0 0 0 1 / 

which is just the transpose of the previous matrix. 

3. Natural Numbers. The interpretation of (A A) (A A) is (2, 2) so 
the natural number proofs 7 t„ are interpreted as 2 x 2 matrices. We get 

cM =( n ). 

As before we consider what it is to compose proofs 7r„ and tt^ with 
the proof /i = Aa, 6, /. a(6(/)) of multiplication. This is interpreted by the 
(obvious permutation) matrix 



/O 0 1 0 0 0\ 

000001 
100000 
000010 
000100 
\0 1 0 0 0 0 / 

where the first two rows and columns come from the codomain. Essentially 
we have to compose and take a trace. At first sight this is not very exciting 
and things seem much as before. We find 



V {n\TTn+l\TTm+l) = 



+ m 1 
1 0 



But the connectivity of ttq introduces an unexpected nuance. To compute 
E(/i|7ro|7rm+i), we can compose one way to get the matrix 

/O 0 0 0 0 0\ 

0 0 0 0 1 0 
100000 
0 0 0 0 ml 
000100 
\0 1 0 0 0 0 / 

and then we need to take a not so obvious trace. We end up with 



E(^|7ro|7Tm+i) = 



0 0 
0 m* 
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For V^(/r|7To|7ro), the calculations are marginally simpler and we end up 
with 

V {^i\■no\■nQ) = 

One sees that even simple cuts can produce cycles in a proof of a serious 
kind, and these are detected by our second interpretation. 




4 Summary 

In this paper I hope to have presented evidence that there are mathematical 
interpretations of classical proof which produce what can be regarded as invari- 
ants of proofs. Clearly there are many more possibilities than those touched on 
here. It seems worth making a couple of concluding comments. 

First while the interpretations given do handle classical proofs, they do not 
appear to detect any particular properties of them. All examples given concern 
(very simple) familiar constructive proofs. There would have been no special 
interest for example in treating Pierce’s Law. 

Secondly, these interpretations are sensitive to cut elimination. This appears 
to be a necessary feature of any mathematical theory of classical proof respecting 
the symmetries. Even for constructive prrofs it suggests a quite different crite- 
rion for the identity of proofs than that given by equality of normal form. This 
criterion would have the merit of being sensitive inter alia to the use of Lemmas 
in mathematical practice. 
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Applications of Craig Interpolation to Model 

Checking 
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A Craig interpolant [1] for a mutually inconsistent pair of formulas (A,B) is a 
formula that is (1) implied by A, (2) inconsistent with B, and (3) expressed 
over the common variables of A and B. It is known that a Craig interpolant 
can be efficiently derived from a refutation oi A A B, for certain theories and 
proof systems. For example, interpolants can be derived from resolution proofs 
in propositional logic, and for “cutting planes” proofs for systems of linear in- 
equalities over the reals [5,3]. These methods have been extended to the theory 
of linear inequalities with uninterpreted function symbols [4] . 

The derivation of interpolants from proofs has a number of applications in 
model checking. For example, interpolation can be used to construct an inductive 
invariant for a transition system that is strong enough to prove a given property. 
In effect, we can use interpolation to construct an abstract “image operator” that 
can be iterated to a fixed point to obtain an invariant. This invariant contains 
only information actually deduced by a prover in refuting counterexamples to 
the property of a fixed number of steps. Thus, in a certain sense, we abstract the 
invariant relative to a given property. This avoids the complexity of computing 
the strongest inductive invariant (i.e., the reachable states) as is typically done 
in model checking. 

This approach gives us a complete procedure for model checking temporal 
properties of finite-state systems that allows us to exploit recent advances in SAT 
solvers for the proof generation phase. Experimentally, this method is found to 
be quite robust for verifying properties of industrial hardware designs, relative 
to other model checking approaches. 

The same approach can be applied to infinite-state systems, such as programs 
and parameterized protocols, although there is no completeness guarantee in 
this case. Alternatively, interpolants derived from proofs can be used to infer 
predicates that are useful for predicate abstraction [6]. This approach has been 
used in a software model checking to verify properties of C programs with in 
excess of lOOK lines of code [2]. 
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Bindings, Mobility of Bindings, and the 
V-Quantifier: An Abstract 
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We present a meta-logic that contains a new quantifier V (for encoding “generic 
judgments”) and inference rules for reasoning within fixed points of a given spec- 
ification. We then specify the operational semantics and bisimulation relations 
for the finite 7r-calculus within this meta-logic. Since we restrict to the finite 
case, the ability of the meta-logic to reason within fixed points becomes a pow- 
erful and complete tool since simple proof search can compute the unique fixed 
point. The V quantifier helps with the delicate issues surrounding the scope of 
variables within 7r-calculus expressions and their executions (proofs). We shall 
illustrate several merits of the logical specifications we write: they are natural 
and declarative; they contain no-side conditions concerning names of bindings 
while maintaining a completely formal treatment of such bindings; differences 
between late and open bisimulation relations are easy to see declaratively; and 
proof search involving the application of inference rules, unification, and back- 
tracking can provide complete proof systems for both one-step transitions and 
for bisimulation. This work is joint with Alwen Tiu and is described in more 
detail in the following papers. 
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Abstract. The talk will be devoted to four open problems I was unsuc- 
cessfully trying to solve in the past. These problems concern: 

— Regular and Context-Free Dynamic Logic; 

— The question of polymorphic collapse; 

— Higher-order push-down stores and procedures; 

— Polymorphic definability of recursive data types. 

Each of these problems addresses a basic issue in the logical founda- 
tions of computer science, and each has been open for a long time. This 
talk aims at bringing back the challenge, and sorting out the related 
confusions. 
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Abstract. We study infinite stochastic games played by n-players on 
a finite graph with goals given by sets of infinite traces. The games 
are stochastic (each player simultaneously and independently chooses an 
action at each round, and the next state is determined by a probability 
distribution depending on the current state and the chosen actions), 
infinite (the game continues for an infinite number of rounds), nonzero 
sum (the players’ goals are not necessarily conflicting), and undiscounted. 
We show that if each player has a reachability objective, that is, if the 
goal for each player i is to visit some subset Ri of the states, then there 
exists an e-Nash equilibrium in memoryless strategies, for every e > 0. 
However, exact Nash equilibria need not exist. We study the complexity 
of finding such Nash equilibria, and show that the payoff of some e-Nash 
equilibrium in memoryless strategies can be e-approximated in NP. 

We study the important subclass of n-player turn-based probabilistic 
games, where at each state at most one player has a nontrivial choice of 
moves. For turn-based probabilistic games, we show the existence of e- 
Nash equilibria in pure strategies for games where the objective of player 
i is a Borel set Bi of infinite traces. However, exact Nash equilibria may 
not exist. For the special case of oj-regular objectives, we show exact 
Nash equilibria exist, and can be computed in NP when the w-regular 
objectives are expressed as parity objectives. 



1 Introduction 

The interaction of several agents is naturally modeled as non-cooperative games 
[19,21]. The simplest, and most common interpretation of a non-cooperative 
game is that there is a single interaction among the players (“one-shot”), after 
which the payoffs are decided and the game ends. However, many, if not all, 
strategic endeavors occur over time, and in stateful manner. That is, the games 
progress over time, and the current game is decided based on the history of the 
interactions. Infinite ^ ^ ^ ^ [24, 9, 6] form a natural model for such 

interactions. A stochastic game is played over a finite ^ ^ , and is played 

in rounds. In each round, each player chooses an available action out of a finite 
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set of actions simultaneously with and independently from all other players, and 
the game moves to a new state under a possibly probabilistic transition relation 
based on the current state and the joint actions. For the verification and control 
of reactive systems, such games are infinite: play continues for an infinite number 
of rounds, giving rise to an infinite sequence of states, called the ^ ^ , of the 

game. The players receive a payoff based on a payoff function mapping infinite 
outcomes to a real in [0, 1]. 

Payoffs are generally Borel measurable functions [18]. For example, the payoff 
set for each player is a Borel set Bi in the Cantor topology on S'^ (where S is the 
set of states), and player i gets payoff 1 if the outcome of the game is a member of 
Bi, and 0 otherwise. In verification, payoff functions are usually index sets of ui 
, , , ^ , r ^ . w-regular sets occur in low levels of the Borel hierarchy (they 

are in H H^), but they form a robust and expressive language for determining 
payoffs for commonly used specifications [16]. The simplest w-regular games 
correspond to safety (closed sets) or reachability (open sets) objectives. 

Games may be , , . ? where two players have directly conflicting objec- 
tives and the payoff of one player is one minus the payoff of the other, or ^ ^ ^ ^ 

, , where each player has a prescribed payoff function based on the actions 
of all the other players. The fundamental question for games is the existence 
of equilibrium values. For zero sum games, this involves showing a . , ^ 

theorem that states that the expected optimum value obtained by player 1 is 
exactly one minus the expected optimum value obtained by player 2. For one- 
shot zero sum games, this is von Neumann’s minmax theorem [30]. For infinite 
games, the existence of such equilibria is not obvious, in fact, by using the ax- 
iom of choice, one can construct games for which determinacy does not hold. 
However, a remarkable result by Martin [18] shows that all stochastic zero sum 
games with Borel payoffs are determined. 

For nonzero sum games, the fundamental equilibrium concept is a 
, , , [11], that is, a strategy profile such that no player can gain by deviating 

from the profile, assuming all other players continue playing their strategies in 
the profile. Again, for one-shot games, the existence of such equilibria is guaran- 
teed by Nash’s theorem [11]. However, the existence of Nash equilibria in infinite 
games is not immediate: Nash’s theorem holds for finite bimatrix games, but in 
case of stochastic games, the possible number of strategies is infinite. The exis- 
tence of Nash equilibria is known only in very special cases of stochastic games. 
In fact, Nash equilibria may not exist, and the best one can hope for is an e- 
Nash equilibrium for all e > 0, where an e-Nash equilibrium is a strategy profile 
where unilateral deviation can only increase the payoff of a player by at most 
e. Exact Nash equilibria do exist in discounted stochastic games [10], and other 
special cases [26,27]. For limit average payoffs, exact Nash equilibria need not 
exist even for two-player games [1]. Recently the existence of e-Nash equilibria 
for all e > 0 was proved in [28,29] for the two-player case, and the general case 
remains an important open question. For games with payoffs defined by Borel 
sets, surprisingly little is known. Secchi and Sudderth [23] showed that exact 
Nash equilibria do exist when all players have payoffs defined by closed sets 
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(“safety games”), where the objective of each player is to stay within a certain 
set of good states. Formally, each player i has a subset of states Si as their safe 
states, and gets a payoff 1 if the play never leaves the set St and gets payoff 0 
otherwise. This result was generalized to general state and action spaces [23, 15], 
where only e-equilibria exist. 

However, not much more is known: for example, the existence of e-Nash 
equilibria when the payoff for each player is given by an open set ( “reachability 
games”) remained open. In the open (or reachability) game, each player i has 
a subset of states Ri as reachability targets. Player i gets payoff 1 if the out- 
come visits some state from Ri at some point, and 0 otherwise. In this case, an 
e-equilibrium is the best one can hope for: there exist two-player reachability 
games for which no exact Nash equilibria exist [13]. In this paper, we answer 
this question in the affirmative: we show that every n-player reachability game 
has an e-Nash equilibrium, for every e > 0. Moreover, there is an e-Nash equilib- 
rium profile of , , (a strategy is memory less if it only depends 

on the current state of the game, and not on the history). However, strategies 
in general may require randomization. We achieve our result by going through 
discounted games. Our proof has three main technical ingredients: the existence 
of equilibria in certain discounted games, the approximability of such equilibria 
with simple strategies, and the approximability of certain undiscounted payoffs 
in a Markov decision process (MDP) by discounted payoffs. First, we use the 
existence of exact Nash equilibria in memoryless strategies in discounted reach- 
ability games, that is, reachability games where play stops at each round with 
a probability /? < 1, and continues to the next round with probability 1 — /3. 
Second, we show that the exact Nash equilibrium in discounted games can be 
approximated by , , strategy profiles, where each player plays uniformly over 

a multi-set of actions, and the size of the multi-set can be bounded in terms of 
the number of players and the size of the game. Third, using a result of Condon 
[3], we show that for an MDP, for any e > 0, we can choose the discount factor 
(3 such that the difference between the payoffs in the original MDP and the dis- 
counted MDP is bounded by e. It follows that on the MDP obtained by fixing 
these simple strategies for all but player i, player i cannot significantly increase 
his payoff by switching to a different strategy. This construction yields an e-Nash 
equilibrium in memoryless strategies. In contrast, the proof for safety games [23] 
proceeds by induction on the number of players, and does not give a Nash equi- 
librium in memoryless strategies. It is not known if exact Nash equilibria in 
memoryless strategies exist for safety games. 

Computing the values of a Nash equilibrium, when it exists, is another chal- 
lenging problem [20,31]. For one-shot zero sum games, equilibrium values and 
strategies can be computed in polynomial time (by reduction to linear program- 
ming) [19]. For zero-sum stochastic games with w-regular payoffs, doubly expo- 
nential time algorithms can be obtained to approximate the value to within e by 
expressing the value as nested fixpoints, and then reducing to the validity of a 
sentence in the theory of reals [6]. For one-shot nonzero sum games, no polyno- 
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mial time algorithm to compute an exact Nash equilibrium in a two-player game 
is known [20]. 

We study the complexity of approximating Nash equilibria in reachability 
games. We give an NP algorithm to approximate the value of some e-Nash equi- 
librium in memoryless strategies, for any constant e > 0. We show that the 
problem of finding a Nash equilibrium in a reachability game in (i-e., not 
requiring randomization) memoryless strategies, if it exists, where each player 
gets at least some (specified) payoff is NP-complete. In contrast, for matrix 
games, finding a Nash equilibrium, if it exists, can always be achieved in 
polynomial time in size of the input. Related NP-hardness results appear in [4], 
but our results do not follow from theirs as their hardness proof does not hold for 
pure strategy Nash equilibria. For two-player zero-sum games with reachability 
objective, values can be algebraic and there are simple examples when they are 
irrational [6]. Hence one can only hope to compute it to an e-precision. 

Interestingly, the techniques we develop for the nonzero sum games can be 
used to get better complexities for the zero sum case. In particular, we show an 
improved NP H co-NP upper bound to approximate the valued for two-player 
zero sum reachability games within e-tolerance for any constant e. This improves 
the previously best known EXPTIME upper bound for reachability games [6]. 
This also generalizes a result of Condon [3] . Open and closed sets form the lowest 
level of the Borel hierarchy, and together with [23] , this paper answers positively 
the existence of (e) Nash equilibria in such games. We leave the generalization 
of these results to higher levels of the Borel hierarchy as an interesting open 
problem. 

An important class of stochastic games are . . , . , , , [27, 

22, 9], where at each stage, at most one player has a nontrivial choice of actions. 
In verification, such games model asynchronous interactions among components. 
For turn-based probabilistic games, we prove the existence of e-Nash equilibria 
for payoffs specified by arbitrary Borel sets. Moreover, we show that there is an 
e-equilibrium strategy profile in strategies, that is, strategies that do not 
require randomization. Our proof proceeds in two steps. First, we prove a pure 
strategy determinacy theorem for turn-based probabilistic zero sum games and 
Borel payoff functions. The proof is a specialization of Martin’s determinacy 
proof for stochastic games with Borel payoffs [18]. Second, using this and a 
general construction of ^ ^ [19], we show that e-Nash equilibria 

exist for all turn based probabilistic nonzero sum games with arbitrary Borel set 
payoffs. We show this result is optimal: there exist turn-based probabilistic games 
with Borel payoffs for which exact Nash equilibria do not exist. As a special 
case, we study turn-based probabilistic games with , winning objectives [7]. 
Parity objectives form a canonical form for all w-regular winning objectives [7]. 
Using existence of pure memoryless optimal strategy for zero sum turn-based 
probabilistic parity games, we show the existence of pure strategy exact Nash 
equilibria for parity payoffs. This proves that (exact) Nash equilibria exist for 
turn based probabilistic games with w-regular payoffs. We give corresponding 
complexity results to compute Nash equilibrium solutions. Using an NP n co- 
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Fig. 1. Summary of known and new/onr (asterisk (*)) results. “General” is for stochas- 
tic games, “TB” for turn-based probabilistic games. “Z” denotes zero sum, “NZ” de- 
notes nonzero sum. A ‘?’ denotes open problem. The “Strategy” column indicates 
existence of an (exact or e) Nash equilibrium with that class of strategies, for example, 
there exists an e-Nash equilibrium profile in memoryless strategies for n-player nonzero 
snm reachability games 



NP strategy construction algorithm for probabilistic turn-based zero sum parity 
games [2], we get an NP algorithm to find an exact Nash equilibrium in these 
games. Figure 1 gives a summary of known and new (our) results in this area. 

2 Definitions 

An n- , > ^ ^ ^ r , G consists of a finite, nonempty set of states S, 

n players 1, 2, . . . , n, finite sets of action sets Ai, A 2 , . . . , A„ for the players, a 
conditional probability distribution p on S' x (Ai x A 2 x • • • x A„) called the law 
of motion, and bounded, real valued payoff functions 4 >i,(j) 2 , . . . ,(j)n defined on 
the history space H = S x Ax S x A- ■ ■ , where A = Ai x A 2 x • • • A„. The game 
is called a n-player deterministic game if for all states s G S and action choices 
a = (a^, a^, . . . , a”) there is a unique state s' such that p(s'|s, a) = 1. 

Play begins at an initial state sq = s G S. Each player independently and 
concurrently selects a mixed action aj with a probability distribution ai{s) be- 
longing to V{Ai), the set of probability measures on A^. Given sq and the chosen 
mixed actions = (aj, a^, ■ ■ ■ a^) G A, the next state Si has the probability dis- 
tribution p(-|so,a^). Then again each player i independently selects af with a 
distribution (Ti((so, a^, si)) and given = (af, a|, . . . , a^), the next state S 2 has 
the probability distribution p(-|si,a^). Play continues in this way for an infinite 
number of steps and generates a random history h = (sq, a^, si, a^, . . .) G H. 
The payoff is decided based on the infinite history. 

A function that specifies for each partial history h' = (sq, a^, si, a^, . . . , Sk) 
the conditional distribution ■Ki{h') G V{Ai) for player Ps next action 
is called a ^ ^ for player i. A strategy profile tt = (tti, 7T2, . . . , 7t„) con- 
sists of a strategy tt^ for each player i. A ^ ^ for a player z is a mapping 
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ai : S ^ V{Ai). A selector profile a = (cti, CT 2 , . . . , (Tn) consists of a selector 
ai for each player i. A selector defines a, , ^ ^ ^ strategy (t°° for player 

i: cr“ chooses the mixed action CTj(s') each time the play visits s'. A strat- 
egy profile a°° = (cr“, cr“, . . . , cr“) is a memoryless strategy profile if all the 
strategies cr“, , (j“ are memoryless. Given a memory less strategy profile 

a°° = (ct“, (t“, . . . , cr“) we write cr = (cti, CT 2 , . . . , cr„) to denote the corre- 
sponding selector profile for the players. An initial state s and a strategy profile 
7T = (tti, 7T2, . . . , 7T„) together with the law of motion p determine a probability 
distribution on the history space. We write for the expectation oper- 
ator associated with Ps, 7 r- A strategy for player i is if for every history 
h = {so,a^,si, . . . ,a''^,Sk) there is a action Ofc G Ais^. such that TTi{a) = 1. In 
other words, a strategy is pure if for every history the strategy chooses one action 
rather than a probability distribution over the action set. A strategy profile is 
pure if all the strategies of the profile are pure. 

Given a strategy profile r = (ti, T 2 , . . . , r„) the strategy profile = 
Ti_i, Tj+i, . . . , r„) is the strategy profile obtained by deleting the 
strategy Ti from r whereas for any strategy pi of player i, p{T-i,pi) = 
(ti, . . . , Tj_i, /ij, Tj+i, . . . , T„) denotes the strategy profile where player i follows 
Pi and the other players follows the strategy of r_j. Similar definitions hold for 
selector profiles as well. 

Assume now that the payoff functions (pi : H ^ M. are bounded and measur- 
able, where K is the set of reals. If the initial state of the game is s and each 
player i choses a strategy tt*, then the payoff to each player i is the expecta- 
tion Es^TT<t>i, where tt is the strategy profile tt = (7Ti,7r2, . . . ,7r„). For e > 0, an 
e-equilibrium at the initial state s is a profile tt = (tti, 7T2, . . . , 7t„) such that, 
for alH = 1, 2, . . . , n we have Ps, 7 r</>i > sup^^ i,p.i)4>i ~ £) where pi ranges 

over the set of all strategies for player i. In other words, each tt* guarantees 
an expected payoff for player i which is within e of the best possible expected 
payoff for player i when every other player j ^ i plays •Kj. A 0-equilibrium is 
called a , . , and for every e > 0 an e-equilibrium is called an e- 

, , , [11]. A strategy profile tt for an e-Nash equilibrium is called 

an e-equilibrium profile. A strategy profile tt for a Nash equilibrium is called a 
Nash equilibrium profile. 

Let Ri, R 2 , ■ ■ ■ , Rn be subsets of the state space S. The subset of states Ri is 
referred as the , ^ for player i. Then let Rf’,R ^, . . . , be the subsets 

of El defined by R°° = {h = (sq, si, o^, . . . ) | 3fc G N.sj, G Ri} and take the 
payoff function (pf' to be the indicator function of R°° for z = 1, 2, . . . , n. Thus 
each player receives a payoff of 1 if the process of states sq, si, . . . reaches a state 
in Ri and receives payoff 0 otherwise. We call stochastic games with the payoff 
functions of this form ^ ^ . 

A two-player zero sum reachability game (also called ^ ^ ^ , r 

r . [5]) G is a two-player stochastic game with i?i C S' as a target set of 

states for player 1. Given a random history /z = (so,a^,si,a^,...) player 1 gets 
a payoff 1 if the history contains a state in Ri , else the player 2 gets an payoff 1 . 
In other words, player 1 plays a reachability game with target set R\ and player 2 
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has a strictly competing objective of keeping the game out of R\ forever. Notice 
that this is not a two-player reach-a-set game. 



3 Existence of e-Nash Equilibria 

The main result of this section is the existence of e-Nash equilibria in n-player 
reach-a-set games for every e > 0. 

Theorem 1 (e-equilibrium). n , r , , G 

I I I ^ I > - ■ ' I > t ^ ^ ^ 

e > 0 ^ ^ ^ ^ > ■ ■ , " , / 

e>0 



Already for two-player zero sum reachability games optimal strategies need 
not exist [13, 6]. The example can be easily adapted to show that Nash equilibria 
need not exist even for 2-player reach-a-set games. Hence an e-Nash equilibrium 
for all e > 0, is the best one can achieve for n-player reach-a-set games. 

Memoryless Nash Equilibrium in Discounted Games. We first prove the 
existence of a Nash equilibrium in memory less strategies in a . ^ ^ ^ . n-player 

reach-a-set game. Given a n-player game G we use G^ to denote a /3-discounted 
version of the game G. The game G^ at each step halts with probability /3 (goes 
to a special sink state , which has a reward 0 for every player) and continues 
as the game G with probability 1 — (3. We refer to (3 as the discount-factor. 
The proof of the next lemma uses Kakutani’s Fixed point theorem to show the 
existence of Nash equilibria in discounted games [25,23]. 



Lemma 1. ' (3 - - n , f 

, , , , (Ti : S ^V{Ai)G = l,2,...,n, ^ 

(ar,a2“,...,a“) , , G^, 



G^ 
s G S 



fc-uniform Strategies. Next, we show that a Nash equilibrium in the dis- 
counted game can be approximated using “simple” strategy profiles. We start 
with some definitions. An MDP is a 1-player stochastic game. A MDP reach- 
a-set game is a 1-player stochastic reach-a-set game. Fix an n-player stochastic 
game G. Let a°° = (cr“, cr“, . . . , (t“) be a memoryless strategy profile and 
a = (ui, (72, . . . , cr„) be the corresponding selector profile. Then the game G^ is 
a Markov chain whose law of motion p„- is defined by the functions in the selector 
profile a and the law of motion p of the game G. Similarly, Go- ^ is an MDP where 
the mixed action of each player j yf t at a state s is fixed according to the selector 
function ctj(s). The law of the motion p^ ^ of the MDP is determined by the 
selectors in cr_i and law of motion p of G. Given a MDP reach-a-set game G with 
the target R, the , of the game at state s is denoted by v(s) = sup,r 
where tt ranges over all strategies and c/>f- is the reach-a-set game payoff for the 
player in the game G. Similarly, we use v^(s) = sup.„. to denote the value 

at state s in the game G^, where G^ is the /3-discounted version of the game G. 
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Given a n-player reach-a-set game G let [S'! denote the size of the state space 
and I = maxi \Ai \ denote the maximum number of actions available to any player 
at any state of G. A selector function at for player i is if for all states s G S 
there is an action at G Ai such that ai{s){ai) = 1. A selector function af for 
player i is k , , if for all states s G S there exists a multiset M of pure selec- 

tors with \M\ < k such that uf is the uniform distribution over M. A selector pro- 
file (7^ = (cr*, tT2 , . . . , cr*) is ^-uniform if all the selectors af are fc-uniform for all 
i G {1,2 ,..., n}. A memoryless strategy profile = (cr^’°°, 0-2’°°) ■ • ■ ) ^n°°) is 
fc-uniform if the selector profile , (T2 , . ■ . , cr^) corresponding to the strat- 

egy profile is fc-uniform. We use a technical lemma by Lipton et. al. [14] 
for matrix games (Lemma 2), and a Lipschitz continuity property for MDPs. 

Lemma 2 ([14]). J . , 1 , , n , r ^ ^ _ 

•11^ III • I ' ' ■ j ' ' I ' 

e > o' ,, “/ k> ^ ^ \ .i . 1 ' " 

( ) ., ' II®-' = 0 , = 0 

, 7r(a) > 0 ^ K(a) ~ ^ e 

Let Gi and G2 be two MDP’s defined on the same state space S and 
action space A with laws of motion pi and p2 respectively. The . 

of the two MDP’s, denoted (Gi,G2), is defined as: (Gi,G2) = 

i 2 s,s bl(s|s': «) ~ P 2 {s\s' , «) I • 

Lemma 3. G^ 

' e > 0_| 

I gJ, , . G,.^, 

^ ^ , Consider any player i and a player j ^ i. Consider the selector profile aj 
for player j. It follows from Lemma 2 that there is a fc-uniform selector profile 
(T^, where fc > 1” " . such that for player 7 the following conditions hold: (a) 

every action that is played with probability 0 in Oj is played with probability 0 
in (b) for every action a that is played with positive probability in aj, the 
difference in probability ](Tj(s)(a) — crj’(s)(a)] for any s G S' is at most ■ 

Consider the MDPs G^ , and G^k , with laws of motion pi and p2 respectively. 
Since there are n players, for any pair of states s, s' , and action a, the difference 
in probabilities ]pi(s' j s, a) —p2(s' ] s, a)j is at most ■ Since size of the state 
space in S and the number of actions of player i is at most I, there can be at 
most jS]^ G edges. Hence the result follows. ■ 

Lemma 3 and Lipschitz continuity of values of MDP reach-a-set game with 
respect to [9] gives the following lemma. 

Lemma 4. G^ ,/3_ - n , > ,, .e> 

Q , fc > 3M|S|GDn«"i ' , fc ' 



/3- I I 



7 ^ 3n^ In n^l 



^ , a — (cti, CT2, . . . , <Jn) 

k .... 



/ I 

(Gcr i, G^k .) < e 
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^ cr'=’°° = (cTi’“, 0-2 , 0-'=’°° , , e , . 

Given any game G we denote by Pmin the minimum non-zero transition prob- 
ability in the law of motion p of G; formally Pmin = min{p(t | s, oi . . . a„) | p{t \ 
s,a\ . . . an) > 0}. The following results follows from Lemma 1 and Lemma 4. 

Lemma 5. n , , , , ' . ,, 

'£>0 " i > = (7Ti,7r2, . . . ,7T„) 

^ , , , , . , G^ , _ 

' > ' * ^ , G^fe. , , , 

{ A" 

■ \^3n'‘|Sp/2 Inn^i ) 

Our final ingredient is a result by Condon [3] that relates Pmin with the 
discount factor. 

Lemma 6. G , ' ■ , ■/■■//// 

i i it t ' ' ^ ,> j '€>0 ^ 

-III- I P ~ ^ ^ ^ s G S' ^ - I I I - 

r , u(s) — v^{s) < e 

Nash Equilibrium. We now prove Theorem 1 using the results on dis- 
counted reach-a-set games above. Given the game G and e > 0 let a be 

( e \TL 

3 ^ 4 |g |/^2 j • We construct a game G^ which is a discounted ver- 
sion of G with discount-factor (3, such that [3 = (|) Let = 

(ai’°° ,a 2 ’°° , ■ ■ ■ ,<Tn’°°) be a memoryless strategy profile such that is an 

I -Nash equilibrium profile in the game G^ and for every player i the minimum 
transition probability in the MDP G^-k is at least a (existence follows from 

Lemma 5). Consider any player i and the strategy profile The game G^k 
is a MDP where the mixed actions of all the other players are fixed according to 
the cr(ij. Also, G^fe is the MDP which is the /3-discounted version of the game 
G^k . Hence for every player i we have 

^ + I (fro™ Lemma 6) 

</'f + i) + f 

< Eg^^k, </)f* -I- e 

Hence cr 2 ’°°, • ■ • , cr^’°°) is an e-Nash equilibrium profile in G. 

4 Computational Complexity 

Let 7T be an e-equilibrium profile. Let uf (s) = denote the value at state 

s for player i for the strategy profile tt. The value of an e-equilibrium profile tt at 
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a state s is the value vector v'^{s) = {vi{s),V 2 {s), . . . ,v^(s)). Our main results 
about the computational complexity of computing the value of any e-equilibrium 
profile within a tolerance of e are summarized below. 

Theorem 2 (Computing Values of a Memoryless Equilibrium Profile). 

G . ^ n , f , r , , , s . ^ ^ G, ^ , V = 

{vi,V2, . . . ,u„) e [0, 1]" . 

n , e > 0 ' 

Vi{s) >Vi-e , 

, , 7T , . , ^ , 




Approximating in NP. We will prove that for every fixed e > 0 the value of 
some e-Nash equilibrium can be approximated in NP. 

The following Lemma follows by approximating a memoryless e-Nash equilib- 
rium (existence follows from Theorem 1) by fc-uniform memory less equilibrium 
using arguments similar to Lemmas 3 and 4. 



Lemma 7. 



Lemma 8. 

e , 




n , f ^ ^ ^ 

, ^ 12n^|!g|^P \n‘n^l 
— 





€ 




G., . e > 0, 

6 “ ‘ 



, The NP algorithm guesses a /c-uniform selector for a /c-uniform mem- 
oryless e-equilibrium strategy profile It then verifies that the value for the 

MDP’s G^k for every state s G S and each player i is within e-tolerance as com- 
pared to the value of the Markov chain define by G^,k. Since the computation 
of values of a MDP can be achieved in polynomial time (using linear program- 
ming) it follows that the approximation within e tolerance can be achieved by a 
NP-algorithm. ■ 



NP-completeness. We first prove it is NP-hard to compute a pure, memo- 
ryless Nash equilibrium profile for n-player deterministic reach-a-set games by 
reduction from 3-SAT. Given a 3-SAT formula ^jJ with n-clauses and m- variables 
we will construct a n-player deterministic reach-a-set game G^. Let the vari- 
ables in the formula Tp be xi,X 2 , • • ■ , Xm and the clauses be Gi, G 2 , . . . , G„. In 
the game G^ each clause is a player. The state space S, the law of motion and 
the target states are defined as follows. There is a state i for each variable Xi, 
two sink states sink and m -I- 1, and states (i,j) for i = and j = 0, 1 

for an assignment j to the variable xf. S = { 1,2, ... ,m,m + 1} U { {i, j) \ i = 
1, . . . ,m, and j = 0, 1 } U {sink}. For any state {i, j) the game always moves to 




36 



K. Chatterjee et al. 



the state z + 1. Let Ci = {ci^,Ci^, , Ci ^. } be the set of clauses in which variable 
Xi occurs. Then, in state i players ii,Z 2 , ■ . ■ ,ik have a choice of moves between 
{0,1}. If all the players chose move 0 the game proceeds to state (z, 0), if all the 
players chose move 1 the game proceeds to state (z, 1), else the game goes to the 
sink state. Once the game reaches the sink state or the state m + 1 it remains 
there for ever. Let (7° = , . . . , } be the set of clauses that are satisfied 

assigning Xi = 0, then the state (z, 0) is a target state for players ki,k 2 , . . . ,k[. 
Similarly, let = {c{ , , . . . , c{ } be the set of clauses that are satisfied by 

j 

assigning the variable Xi = 1 then the state (z, 1) is a target state for players 
k[,k 2 ,..., k'y States 1, 2, . . . , to + 1 and the ^ ^ state is not a target state for 
any player. 

We reduce the 3-SAT problem to the problem of determining whether there 
is an equilibrium in such that each player has a value > Vi at state s. Each 
player gets a value 1 at state 1 iff the formula ip is satisfiable. If the formula is 
satisfiable then consider a satisfying assignment to the variables. Then at each 
state z all the players chose the move as specified by the satisfying assignment 
and hence every player get a payoff 1. If there is a pure memory less strategy 
profile such that all the players get a payoff 1 in the game G^ then it follows 
from the construction of G^ that there is an assignment such that every clause 
is satisfied and hence the 3-SAT formula ip is satisfiable. 

Inclusion in NP is proved by guessing a pure memoryless strategy profile 
(i.e., at each state, guess an action for each player), and verifying that in the 
resulting Markov chain, each player i gets at least the payoff Vi, and also that in 
the Markov decision process obtained by fixing the strategies of all but player z, 
player i cannot improve his expected payoff. This proves Theorem 2(2). 

Concurrent Reachability Games. The techniques developed for n-player 
nonzero sum games can be used to find better bounds in two-player zero sum 
reachability games. Our proof goes through a special case of two-player (nonzero 
sum) reach-a-set games, namely two-player , games. For a two-player 

reach-a-set game G let II denote the set of all e-equilibrium strategy profiles for 
e > 0. We use the following notation: ui(s) = swp^^jj ^nd ^ 2 ( 5 ) = 

sup^gyj Es^tt 4 > 2 ^. ^ two-player reach-a-set game is constant-sum if for all states 
s G S' we have (a) Ui(s)-l-z; 2 (s) = 1 and (b) for all n G II, Es^^^cp^^ +Es^tt<Pi^ = 1- 
For this special case, we prove a NP n co-NP bound to approximate the value 
of a e-equilibrium profile, for any fixed e. 

Lemma 9. G , ^ 

1 2 

^ . V ^ . V , ^ ^ ^ - - e 

'Ci(s) > — e ^ . ^ 2 ( 5 ) > — e 

, Inclusion in NP follows as a special case of Lemma 8. To prove inclusion 
in co-NP, consider the case when vi(s) < — e. The following NP algorithm 

determines if ui(s) < — e. It guesses the fc-uniform selector for player 2 

and verifies that the value of player 1 in the state s in the MDP G^k ^ is less 
than — e. From Lemma 7 we know that there is a fc-uniform memoryless 
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e-equilibrium profile (T 2 ’°°) with selector profile = (fTi,crf). 

Since the value of a MDP at any state can be computed in polynomial time 
(using linear programming) the required result follows. I 

We now reduce two-player zero sum reach-a-set games to two player constant- 
sum reach-a-set games in the following way. First, we compute the set of states 
where the players have value 1 (i.e., for each player i G {1,2}, the set of states 
Wi where player i can ensure that she gets payoff arbitrarily close to 1). This can 
be done in polynomial time [5]. Second, consider the constant-sum reach-a-set 
game G' constructed from the concurrent reachability game G where the set of 
states IVi and IV 2 are converted to ^ ^ states and the objective for player i is 
to reach the set Wi. Then, we can show the value obtained by player 1 in the 
game G is equal to the value ui(s) obtained by player 1 in G". This gives an NP 
n co-NP algorithm for two player zero sum reachability games, improving the 
previously known EXPTIME bound [6]. 

Theorem 3. ^ ^ ' , , , . , ' ^ . , 

, e , , , , n, i.e>0 

The natural question at this point is whether there is a polynomial time 
algorithm for concurrent zero sum reachability games. Since simple stochastic 
games [3] can be easily reduced to concurrent reachability games, a polynomial 
time algorithm for this problem will imply a polynomial time algorithm for 
simple stochastic games. This is a long standing open problem. 

5 Games with Turns 

An n-player stochastic game is , , - (or perfect information) if at each 

state, there is exactly one player who determines the next state. Formally, we 
extend the action sets for z = 1, . . . , n to be state dependent, that is, for each 
state s G S, there are action sets for z = 1, . . . , n, and we restrict the action 
sets so that for any s G S, there is at most one z G { 1, . . . , n} such that | Ajg | > 1. 

We consider payoff functions that are index sets of^ ^ ^ ^ (see e.g., [12] 

for definitions), that is, given a Borel set B, we consider a payoff function xb 
that assigns a payoff 1 to a play that is in the set B, and 0 to a play that 
is not in the set B. With abuse of notation, we identify the set B with the 
payoff function xb- We consider turn based games in which each player is given 
a Borel payoff Bi. A two-player Borel game is , if the payoff set B of 

one player is the complement \ B oi the other player, that is, the players 
have strictly opposing objectives. A deep result by Martin shows that two player 
zero sum infinite stochastic games with Borel payoffs have a value [18]. The 
proof constructs, for each real v G (0, 1] a zero sum turn-based deterministic 
infinite-state game with Borel payoff such that a (pure) winning strategy for 
player 1 in this game can be used to construct a (mixed) winning strategy in the 
original game that assures player 1 a payoff of at least v. From the determinacy 
of turn-based deterministic games with Borel payoffs [17], the existence of value 
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Fig. 2. A turn-based probabilistic game 



in zero sum stochastic games with Borel payoffs follows. Moreover, the proof 
constructs e-optimal mixed winning strategies. A careful inspection of Martin’s 
proof in the special case of turn-based probabilistic games shows that the e- 
optimal strategies of player 1 are pure. This is because the mixed strategies are 
derived from solving certain one-shot concurrent games at each round. In our 
special case these one-shot games have pure winning strategies since only one 
player has a choice of actions. 

Lemma 10. e > 0 ^ ' tti , , . 

Theorem 4. e>0 ' , , , ^ • ■ , ' n , ^ 

^ ^ , Our construction is based on a general construction from repeated games. 
The basic idea is that player i plays optimal strategies in the zero sum game 
against all other players, and any deviation by player i is punished indefinitely 
by the other players by playing e-optimal spoiling strategies in the zero sum 
game against player i (see, e.g., [19,28]). Let player i have the payoff set Bi, 
for i = 1, ... ,n. Consider the n zero sum games played between i and the team 
[n] \ { i }, with the winning objective Bi for i. By Lemma 10 here is a pure 
e-optimal strategy tt* for player i in this game, and a pure e-optimal spoiling 
strategy for players j ^ i. This spoiling strategy induces a strategy tt^ for each 
player j ^ i. Now consider the strategy r® for player i as follows. Player i plays 
the strategy tt- as long as all the other players j play 7 rj and switch to tt® as 
soon as some player j deviates. Since the strategies are pure, any deviation is 
immediately noted. The strategies t* for i = 1, . . . ,n form an e-Nash equilibrium. 



Note that the construction above for probabilistic Borel games guarantees 
only e-optimality. Example 1 shows that there are two player turn-based proba- 
bilistic zero sum games where only e-optimal strategies exist, and optimal strate- 
gies do not exist. Hence Theorem 4 cannot be strengthened to Nash equilibrium. 

I , , Consider the turn-based probabilistic game shown in Figure 2. At 

state sq player 1 chooses between two actions: oi = sq ^ si and 02 = sq ^ S 2 - 
At state Si the play actions to state S 2 and S 3 with probability At state S 3 
player 2 chooses between two actions: 61 = S 3 ^ S 2 and 62 = S 3 — *■ S 4 . The game 
is zero sum, and the objective B for player 1 is: 
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B = {7ri7T2 . . . I 7Ti = So A 3fc. TTfc = Si} 

U {7ri7T2 . . . I 7Ti = So A 3fc. 7Ti = 7T2 = . . . = TTfc = So A TTfc+i ^ So 

A 3j. fc + 1 < j < 3k. TTj = S4} 

Informally, the winning condition for player 1 is as follows. Player 1 wins if 
either the game reaches the state si, or the game reaches S4 and the number of 
visits to So is greater than the number of visits to S3 before S4 is hit. Player 1 
can get payoff arbitrarily close to 1 in the following way. For any e > 0, consider 
the strategy ai for player 1 that chooses the action ai = so ^ so for k times and 
then chooses the action 02 = sq ^ S 2, where e > ^. The strategy cti ensures 
that player 1 wins with probability at least 1 — e. On the other hand, player 1 
has no optimal strategy. Consider any strategy CTi for player 1 that chooses the 
action 02 = sq ^ S 2 after k steps. The strategy for player 2 is as follows: choose 

action 61 = S3 ^ S2 for k + 1 times and then choose the action 62 = S3 ^ S4. The 

probability that player 1 wins is at most 1 — Hence, player 1 has e-optimal 
strategies for every e > 0, but no optimal strategy. ■ 

Exact Nash equilibria do exist in special cases. First, the determinacy re- 
sult for zero sum turn based deterministic games with payoffs corresponding 
to Borel sets [17] shows the existence of optimal winning strategies. Hence, the 
construction of Theorem 4 gives exact Nash equilibria. 

Corollary 1. , n , r ... , , , , 



Second, in the special case of turn-based probabilistic games with parity 
winning conditions, pure and memoryless optimal winning strategies exist for two 
player zero-sum case [2]. Moreover, the pure memory less optimal strategies can 
be computed in NP n co-NP. (Notice that the winning condition in Example 1 
is not w-regular.) Therefore we have the following. 

Theorem 5. 1 , . . r ' , 
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A Bounding Quantifier 
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Abstract. The logic MSOL+B is defined, by extending monadic second- 
order logic on the infinite binary tree with a new bounding quantifier B. 
In this logic, a formula V>X.g>{X) states that there is a finite bound on 
the size of sets satisfying ip[X). Satisfiability is proved decidable for two 
fragments of MSOL-I-B: formulas of the form -iBX.y>(A), with (p a B- 
free formula; and formulas built from B-free formulas by nesting B, 3, V 
and A. 



1 Introduction 

Using monadic second-order logic over infinite trees one cannot express proper- 
ties such as: “there exists bigger and bigger sets such that...” or “there is a bound 
on the size of sets such that...”. In this paper we present decision procedures for 
an extension of MSOL where such properties are definable. 

The need for such cardinality constraints occurs naturally in applications. 
For instance, a graph that is interpreted in the full binary tree using monadic 
second-order logic (MSOL) is known to have bounded tree-width if and only if 
it does not contain bigger and bigger complete bipartite subgraphs [1]. Another 
example: a formula of the two-way y:i-calculus [12] has a finite model if and only 
if it has a tree model in which there is a bound on the size of certain sets [2]. 
Sometimes boundedness is an object of interest in itself, cf. [4] , where pushdown 
games with the bounded stack condition are considered. 

In light of these examples, it seems worthwhile to consider the logic MSOL-fB 
obtained from MSOL by adding two new quantifiers B and U, which express 
properties like the ones just mentioned. Let V’(^) be a formula expressing some 
property of a set A in a labeled infinite tree. The formula BA. ■0(A) is satisfied 
in those trees t where there is a finite bound ~ which might depend on < - on 
the size of sets F such that the tree t[X := F] satisfies ■0(A). We also consider 
the dual quantifier U, which states that there is no finite bound. 

Adding new constructions to MSOL has a long history. A notable early ex- 
ample is a paper of Elgot and Rabin [6] , where the authors investigated what 
predicates P can be added to MSOL over (N, <) while preserving decidability 
of the theory. Among the positive examples they gave are monadic predicates 
representing the sets {d : z G N}, {i’^ : z G N} and {F : i G N}. This line of 
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research was recently continued by Carton and Thomas in [5] , where the list was 
extended by so called , ^ predicates. 

A construction similar to our bounding quantifier can be found in [7], where 
Klaedtke and Ruess consider extending MSOL on trees and words with cardi- 
nality constraints of the form: 



lAil \Xr\ < |Yl| -f • • • -f |Ts|- 

Although MSOL with these cardinality constraints is in general undecidable, 
the authors show a decision procedure for a fragment of the logic, where, among 
other restrictions, quantification is allowed only over finite sets. Interestingly, 
MSOL-I-B is definable using cardinality constraints, although it does fall outside 
the aforementioned fragment and cannot be described using the techniques in [7]: 

BA.V' iff 3r.Finite(y) A VA.(V’(A) ^ |X| < |r|). 

Finally, a quantifier that also deals with cardinality can be formulated based 
on the results of Niwihski in [8]. It is not however the size of sets satisfying 
4’{X), but the number of such sets that is quantified. More precisely, a binary 
tree t satisfies 3'^X.iIj{X) if there are continuum sets F such that t[X := F] 
satisfies 'tp{X). This quantifier, it turns out, is definable in MSOL, and thus its 
unrestricted use retains decidability. 

Our bounding quantifier B, however, is ^ ^ definable in MSOL. Using the 
bounding quantifier, one can define nonregular languages and hence the question: 
is satisfiability of MSOL-fB formulas decidable? In this paper we investigate this 
question and, while being unable to provide an exhaustive answer, we present 
decision procedures for two nontrivial fragments of MSOL-I-B. 

This investigation leads us to identify a class of tree languages, new to our 
knowledge, which we call quasiregular tree languages. A set of infinite trees is 
L ^ , , if it coincides with the regular language L over the set of regular 

trees and, moreover, is the sum of some family of tree regular languages. The 
intuition behind an L-quasiregular language is that it is a slight non-regular 
variation over the language L, yet in most situations behaves the same way 
as L. 

On the one hand, quasiregular languages are simple enough to have decid- 
able emptiness: an L-quasiregular language is nonempty iff L is nonempty. On 
the other hand, quasiregular languages are powerful enough to allow nontrivial 
applications of the bounding quantifier: they are closed under bounding quan- 
tification, existential quantification, conjunction and disjunction. This yields the 
decidability result: 

Theorem 43 

. , f . existential bounding formulas, . , . . 

Unfortunately quasiregular languages do not capture all of MSOL-I-B. For 
instance, they are not closed under complementation, hence Theorem 43 gives 
no insight into properties that use the dual quantifier U. 
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For this reason, we also conduct a separate analysis of the U quantifier (note 
that satisfiability for U is related to , for B). By inspection of an underlying 
automaton, we prove: 

Theorem 47 

• > ’ i - - - > / I I - . UX.-tp, f/' , 

We are, however, unable to extend this result in a fashion similar to Theorem 
43, by allowing for non-trivial nesting. 

The plan of the paper is as follows. In Section 2, we briefly survey possible 
applications of the bounding quantifier. After the preliminaries in Section 3, we 
introduce the quantifier in Section 4. In Sections 4.1 and 4.2 we prove decidability 
for bounding existential formulas, while in Section 4.3, we prove decidability for 
formulas which use the unbounding quantifier outside an MSOL formula. 

, -r , ^ ^ I would like to thank Igor Walukiewicz, Damian Niwihski 

and Thomas Colcombet for their valuable suggestions. 

2 Applications 

In this section we briefly and informally overview three possible applications. 
We would like to emphasize that in none of these cases does using the bounding 
quantifier give ^ results, it only simplifies proofs of existing ones. 

The first application comes from graph theory. Sometimes a graph G = (V, E) 
can be interpreted in the unlabeled full binary tree { 0 , 1 }* via two formulas: a 
formula a{x) true for the vertices used to represent a vertex from V and a formula 
P{x,y) representing the edge relation E. From [1], it follows that such a graph 
G{a, f3) is of bounded tree-width if and only if there is a fixed bound N on the 
size n of full bipartite subgraphs of G{a,P). Given two sets E,G C {0, 1}* 
one can express using MSOL that these sets represent the left and right parts 
of a bipartite subgraph. The property that there exist bigger and bigger sets 
E, G encoding a bipartite graph can then, after some effort, be expressed as a 
formula of the form where the unboundedness of only a single set Z 

is required. The validity of such a formula in the unlabeled tree can be verified 
using either one of the Theorems 43 and 47, hence we obtain conceptually simple 
decidability proof for the problem: “does a graph represented in the full binary 
tree have bounded tree-width?” [ 1 ] 

Another application is in deciding the winner in a certain type of pushdown 
game. A . , , is a two-player game obtained from a . , . 

The vertices of the graph are the configurations (g, 7 ) G Q x F* of a pushdown 
automaton of state space Q and stack alphabet E, while the edges represent the 
transitions. The game is obtained by adding a partition of Q into states Qo of 
player 0 and states Qi of player 1, along with a , , , or set of plays 

in {Q X r*)^ that are winning for the player 0. In [4], the authors consider the 
. ^ ^ ^ winning condition, where a play is winning for player 0 if there 

is a fixed finite bound on the size of the stacks appearing in it. Using a natural 
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interpretation of the pushdown game in a binary tree, the fact that player 0 wins 
the game from a fixed position v is equivalent to the satisfiability of a formula 

350 V5i BX. ij{So,Si,X,v) 

in which tp{So, Si, X,v) says that X represents a stack appearing in the unique 
play starting in vertex v and concordant with the strategies So and Si. We are 
able to quantify over strategies due to memoryless determinacy of the relevant 
game. Moreover, by a closer inspection of the game, one can show that V5i can 
be shifted inside the B quantifier, yielding an existential bounding formula whose 
satisfiability is decidable by Theorem 43. 

Finally, the bounding quantifier can be applied to the following decision prob- 
lem [3, 2]: “Is a given formula ^ of the modal /i-calculus with backward modalities 
satisfiable in some finite structure?” In [3] it is shown that the answer is yes iff 
a certain nonregular language of infinite trees is nonempty. This language 
expresses the property that certain paths in a tree are of bounded length, and 
can easily be expressed using an existential quasiregular formula. 

3 Preliminaries 

In this section we define the basic notions used in the paper: infinite trees, regular 
languages of infinite trees and regular trees. 

A ^ ^ is a function a : {0, ...,n} — > A, while an ^ ^ A 

is a function a : N ^ A. We use boldface letters to denote sequences. 
Given a function f : A ^ B and an A-sequence a, / o a is a well defined B- 
sequence. Often we will forsake the functional notation and write ai instead of 
a{i). The length |a| eNU{oo}ofa sequence is the size of its domain. We use A* 
to denote the set of finite A-sequences and A^ for the set of infinite A-sequences. 
The concatenation of two sequences a and b, denoted by a b, is defined in the 
usual fashion. 

Let E be some finite set, called the , . . An X is a function 

t : {0,1}* ^ X. Therefore, all infinite trees have the same domain. We denote 
the set of infinite A-trees by Trees'^ (A). An ^ ^ > , ' ' , A is 

any subset of Trees°°(A). Since we will only consider infinite trees in this paper 
and the next one, we will omit the word infinite and simply write A-tree and 
tree language. A node is any element of (0, 1}*. We order nodes using the prefix 
relation <. Given v G (0, 1}*, the ^ ^ v is the tree defined 

by: 

t\v(w) = t{v-w). 

A , , is a tree with finitely many distinct subtrees; the class of all 

regular trees is denoted by REG. An ^ ^ is any infinite sequence of 

nodes tt such that: 

TTq = e TTi^TTo-Oo TV2 = TVl-ai ••• Oj G {0, 1} . 

Given two nodes v < w, we define the set Bet(w,'u;) of elements between v 
and ic as r: • {0, 1}* \ ic • {0, 1}*. 
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Let S be an alphabet and * a letter outside E. A S ^ ^ i is any E U {*}- 
tree C where the label * occurs only once, in a position called the ^ , of C. We 
don’t require this position to be a leaf, since there are no leaves in an infinite 
tree, but all nodes below the hole are going to be irrelevant to the context. The 
_ , dom(C') of a context C is the set of nodes that are not below or equal 
to the hole. Given a A'-tree t and a context C[] whose hole is u, the tree C[t] is 
defined by: 



C[t]{w) 



t{u) if w = V • M for some u € {0, 1}*; 

C{w) otherwise. 



The composition of two contexts C and D is the unique context C D such 
that {C-D)[t] = holds for all trees t. We do not use multicontexts for 

infinite trees. 



3.1 Nondeterministic Tree Automata and Regular Tree Languages 

As in the case of finite trees, regular languages of infinite trees can be defined 
both using automata and monadic second-order logic. The two approaches are 
briefly described in this section. 

Definition 31. [Parity condition] A sequence a G of numbers belonging to 
some finite set of natural numbers A is said to satisfy the ^ ^ ^ . , , if 

smallest number occurring infinitely often in a is even. 

^ / / / - ■ , , / ■ , , i® ^ tuple 

A= {Q,E,qi,8, n) 

where Q is a finite set of ^ ^ , A is the finite ^ , , , qj G Q is the 

,, ,6CQxExQxQis the ^ ^ ^ ^ ^ ^ and 17 : Q ^ N is the 

^ r . ^ ^ ^ ■ Elements of the finite image Q{Q) are called ^ ^ . A , of 

A over a A'-tree t is any Q-tree p such that 

(p(v), t(w), p(w-O), p(u-l)) G 6 for every v G {0, 1}*. 

The run p is , ' if fo'^ every infinite path tt, the sequence of ranks 

17 opoTT satisfies the parity condition. The automaton t, , 

q G Q ii there is some accepting run with state q labeling the root. A tree is 
. if it is accepted from the initial state qi. The , ^ . . , - denoted 

T( A), is the set of trees accepted by A; such a language is said to be . , .An 
automaton is ^ ^ ^ ^ if and only if its language is. 

We say two trees s and t are / , , , . , , which is denoted 

s t, if for every state q of A, the tree s is accepted from q if and only if the tree 
t is. If the trees s and t are equivalent for A, then they cannot be distinguished 
by a context, i.e. for every context G[], the tree C[s] is accepted by A if and only 
if the tree C[t] is. 
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We now proceed to define the logical approach to regular languages of infinite 
trees. Consider an alphabet S = {cti, . . . , cr„}. As in the finite tree case, with a 
A-tree, we associate a relational structure 

t= ({0,l}*,S'o,S'i,<,a:*i,...,o:^). 

The relations are interpreted as follows: So is the set of left sons {0,1}*0, 
is the set of right sons {0, 1}*1, < is the prefix ordering, while ct- is the set 
of nodes that are labeled by the letter at. 

With a sentence ijj of monadic second-order logic we associate the language 
L{tp) of trees t such that t satisfies i/'- Such a language is said to be 

, , . A famous result of Rabin [9] says that a language of infinite trees is 
MSOL-definable if and only if it is regular. 



4 The Bounding Quantifier 

The logic MSOL-I-B is obtained from MSOL by adding two quantifiers: the 
. ^ ^ ^ r ^ B, and its dual , U, which we define 

here using infinitary disjunction and conjunction: 

WX.Lp := VA.(<^(A) ^ |A| < i) V^X.(p := BX.((p(X) A |A| > i) 

BA. ^ := V,eN UA. := U* A.:^ 

MSOL-I-B defines strictly more languages than MSOL (see Fact 44), hence it 
is interesting to consider decidability of the following problem: 

Is a given formula of MSOL-I-B satisfiable in some infinite tree? 

The remainder of this paper is devoted to this question. Although unable to 
provide a decision procedure for the whole logic, we do identify two decidable 
fragments. The first, existential bounding formulas, is proved decidable in Sec- 
tions 4.1 and 4.2, while the second, formulas of the form VX.'ip with A in MSOL, 
is proved decidable in Section 4.3. 

4.1 Quasiregular Tree Languages 

Before we proceed with the proof of Theorem 43, we define the concept of a 
quasiregular tree language. We then demonstrate some simple closure proper- 
ties of quasiregular tree languages and, in Section 4.2, show that quasiregular 
tree languages are closed under bounding quantification. These closure proper- 
ties, along with the decidable nonemptiness of quasiregular languages, yield the 
decision procedure for existential bounding formulas found in Theorem 43. 

For technical reasons, we will find it henceforth convenient to work on trees 
where the alphabet is the powerset P{X) of some set A. The same results would 
hold for arbitrary alphabets, but the notation would be more cumbersome. By 
Val(A) we denote the set of P(A)-trees. Elements of the set A will be treated 
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as set variables, the intuition being that a tree in Val(A’) represents a valuation 
of the variables in S. Given a tree t G Val(A’) and a set F C {0, 1}*, the tree 

t[X := F] G Val(r U {AT}) 

is defined by adding the element X to the labels of all nodes in F and removing 
it, if necessary, from all the other nodes. 

Bounding quantification for an arbitrary tree language L C Val(A') is defined 
as follows. A tree t G Val(£' \ {^}) belongs to the language MX.L if there is 
some finite bound on the size of sets F such that the tree t[X := belongs to 
L. 

We now give the key definition of a quasiregular tree language. 

Definition 41 (Quasiregular Language). Let L be a regular tree language. 
A tree language K is L ^ , if 

- Kn REG = Ln REG, and 

— K is the union of some family of regular tree languages 

A tree language is , , if it is L-quasiregular for some regular lan- 

guage L. For the rest of Section 4.1 we will use the letter L for regular languages 
and the letter K for quasiregular ones. 

Lemma 1 . , K L ^ ^ K C L 

Proof 

Let be the family of regular tree languages whose union is K. We will 

show that each language L* is a subset of L. Indeed, over regular trees is a 
subset of L, since K and L agree over regular trees. This implies the inclusion 
Li F L for arbitrary trees, since otherwise the regular language Li\L would be 
nonempty and therefore, by Rabin’s Basis Theorem [10], contain a regular tree. 
□ 



The following easy fact shows that emptiness is decidable for quasiregular 
tree languages given an appropriate presentation: 

Fact 42 . UK is L-quasiregular, then K is nonempty iff L is nonempty. 

Proof 

If L is nonempty, then it contains by Rabin’s Basis Theorem a regular tree 
and hence K must contain this same tree. The other implication follows from 
Lemma 1. □ 

In particular, every nonempty quasiregular language contains a regular tree. 
For a variable X we define the , II x which given a tree returns 

the tree with X removed from all the labels. Projection is the tree language 
operation corresponding to existential quantification, as testified by the following 
equation: 



Li^X.'iP) = nx{L{xp)). 




48 



M. Bojanczyk 



A set C {0,1}* is r , if the unique tree t[X := F] S Val({X|) is 
regular. Equivalently, F is regular if it is a regular word language. The following 
is a standard result: 

Lemma 2. , , , ^ , , ■ , , nx{L) ^ , , , , ^ 

. . L, ^ t[X ■= F] . ,, , ,, '/ L,[ ‘ r \ F ‘ 

Proof 

Since t is a regular tree, the set {t} is a regular tree language and so is F[^^{{t}). 
Therefore the intersection Ln {{t}) is regular and nonempty and, by Rabin’s 
Basis Theorem, contains some regular tree. Obviously, the X component in this 
tree must be a regular set. □ 

Now we are ready to show some basic closure properties of quasiregular lan- 
guages: 

Lemma 3. r , , , , , . 



Proof 

The cases of intersection and union are trivial; we will only do the proof for 
projection. Let K be L-quasiregular. We will show that the projection Ux{K) 
is 7Tx(L)-quasiregular. First we prove that Flx{K) is the union of a family of 
regular languages. By assumption, K is the union some family of regular tree 
languages {Ljjjg/. But then 

nx{K) = UxilJ Li) = U nx{Li) 

i&I i&I 

and, since regular tree languages are closed under projection, IIx{K) is the 
union of some family of regular tree languages. 

We also need to show that for every regular tree t, 

t&nx{K) iff tGHxiL). 

The left to right implication follows from Lemma 1. The right to left implica- 
tion follows from the fact that if t G IIx{L) then, by Lemma 2, for some regular 
set F, t[X = F] & L. Since the tree t[X = F] is regular, it also belongs to K 
and hence t belongs to IIx{K). 

□ 



4.2 Closure Under Bounding Quantification 

In this section, we show that quasiregular tree languages are closed under ap- 
plication of the bounding quantifier. This, together with the closure properties 
described in Lemma 3, yields a decision procedure for the fragment of MSOL-I-B 
that nests B along with existential quantification, conjunction and disjunction. 

Recall that a ^ is any set of nodes that is linearly ordered by <. We say 
that a chain C is a of a set of nodes F if the set F n Bet(u,w) is 

nonempty for all nodes v < w in C. 
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Lemma 4. , , , ' i - , , , • , , i 

Let t € Val(A') and L C Val(L'U {AT}). An (L,X) . _ , the tree t is 

an infinite chain C whose every finite subset is a trace path of some set F such 
that t[X := i^] € L. The set of trees containing no (L,X)-bad chain is denoted 
by CX.L. Bad chains have the desirable property of being MSOL definable, as 
testified by: 

Lemma 5. , L ^ ^ CX.L ^ , 

Lemma 6 . , K ^ L ^ , REG n CX.K = REG n CX.L 

Proof 

This follows from the fact that for a finite (and therefore regular) node set F 
and a regular tree t, the tree t[X := F] is regular, and hence belongs to L if and 
only if it belongs to K. □ 

Lemma 7. L . r , > , ' ' ' > CX.L 

,, , . , MX.L 

Proof 

Gonsider a regular tree t with m distinct subtrees. Let A being some automaton 
recognizing L with k being the index of the relation Setting n to be 
we will show that if t does not belong to the language B”X.L, then an {L, AT)-bad 
chain must exist. 

Gonsider indeed a set F of at least n nodes such that the tree t[X := F] 
belongs to L. By Lemma 4, this set has a trace path with more than k-m nodes. 
Let r: < ru be two nodes on this trace path such that 

t[X := F]\y t[X := F]\yy and t\y = t\y, . 

Such two nodes exist by virtue of the trace path’s size. Moreover, since v 
and w are on the trace path, the intersection F H Bet(u,w) is nonempty. Let 
u G {0, 1}* be such that w = v ■ u. 

We claim that the chain {u • u* : z G N} is a bad chain. For this, we will show 
that for every i G N, the subchain Ci = {v ■ ■ j < i} can be expanded to a set 

Fi satisfying t[X := Fi] G L. 

This is done by pumping i times the part of the set F between v and w. 
Gonsider the following partition of F : 

Fi = {u' \ u' <v}f\F F 2 = Bet(u, w) C\ F F^ = {u' : u' > w} F 

One can easily check that the following set Fi contains the subchain Ci: 

Fi = Fi LI [J v-u^ ■v~^'F2 U v-u'‘ -v~^ -F^. 
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Moreover, since for all j G {0, . . . , i}, the equivalence 
t[X := Fj]y.^j t[X := 

holds, the tree t[X := Fi] belongs to L. □ 

Using the Lemma 7 above, we can show that quasiregular tree languages are 
closed under application of the bounding quantifier. 

Lemma 8 . ^ K ^ ^ r , , , , , , MX.K 

Proof 

If K is quasiregular, then it is a union IJjgj Li of some family of regular tree 
languages. Therefore BX. K is also a union regular tree languages: 

MX.K = uu M^X. Li. 

iei j>o 

Let L be such that K is L-quasiregular. We will show: 

CX.L n REG = MX.K n REG. 



The right to left inclusion follows from Lemma 6 and the simple inclusion 
MX.K C CX.K. The left to right inclusion follows from Lemma 7. □ 

Putting together the closure properties of quasiregular tree languages proved 
in this and the previous section, we obtain: 



Theorem 43 



existential bounding formulas 
, , , , , B, 3, A , . V , 



Proof 

By Lemmas 3 and 8, the language L('0) of an existential bounding formula is 
L-quasiregular for some effectively obtained regular tree language L. By Fact 
42, the emptiness of L(?/;) is equivalent to the emptiness of L. □ 

Unfortunately, we cannot hope to extend the quasiregular tree language ap- 
proach to decide all possible nestings of the bounding quantifier, as certified by 
the following Fact: 



Fact 44. Even for regular L, —MX.L is not necessarily quasiregular. 

Proof 

The language L in question is obtained from a formula ip with free variables X 
and Y. This formula states that Y contains no infinite subchains and that X is 
a subchain of Y. 

In a regular tree t G Val({X, U}) with n distinct subtrees, a subchain of Y 
can be of size at most n - otherwise Y has an infinite subchain and ip does not 
hold. Therefore —MX.L(ip) is a nonempty language without a regular tree and 
cannot be quasiregular. □ 
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4.3 The Unbounding Quantifier 

In this section we present a procedure which, given a regular language L C 
Val(A') and a variable X & S, decides whether the language \]X.L is nonempty. 
This implies that satisfiability is decidable for formulas of the form \]X.ip{X), 
where tp is in MSOL. Unfortunately, we are unable to extend this decision pro- 
cedure to accommodate nesting, the way we did in Theorem 43. On the other 
hand though, the procedure runs in polynomial time in the size of an input 
parity automaton. 

In order to help the reader’s intuition a bit, we will begin our analysis by 
debunking a natural, yet false, idea: for every regular language L there is some 
n G N such that the language VX.L is nonempty if and only if the language 
V^X.L is. 

The intuition behind this idea would be that a pumping process should in- 
flate arbitrarily a set F satisfying t[X := F] G L once it has reached some 
threshold size. The problem, however, is that a tree may contain labels which 
are not part of the set F, and the pumping might violate this labeling. A suitable 
counterexample is the following language L C Val({AT, T}): 

AT is a subset of Y and F is a finite set . 

Obviously the language HX.L is empty, yet for every n G N, the language 
1LJ"A'.T is nonempty. We will have to bear such issues in mind in the proofs 
below, taking care that we pump only the part of the labeling corresponding to 

a:. 

Let us fix a set E, a regular language L C Val(A’) and a variable X G E for 
the rest of this section. We will use E to denote the set E \ {X}. Analogously 
to the “language” definition of V>X.L in Section 4.1, we say a tree t G Val(i7) 
belongs to UX.F if there is finite bound on the size of sets F such that 
t[X :=F] GL. 

An infinite sequence of nodes is , if Vi < holds for all i G N. 

A family of node sets IF is - by an increasing sequence v of nodes if for all 
i G N, 

|F n Bet(i>i, > i for some F G IF . 



Lemma 9. . . , 

We fix now some nondeterministic parity automaton recognizing L: 

A= (Q,E,A,qj,6, Q). 

Without loss of generality, we assume that every state q G Q is used in some 
accepting run. The rest of this section is devoted to an analysis this automaton 
and to establishing a structural property equivalent to the nonemptiness of the 
language \]X.L. 

A . ^ ^ is any element of Q x Q{Q) x Q. With a P(A')-context C we 

associate the set ^ ^ (C) consisting of those descriptors {q,m,r) such that 
there is a run of A that starts in the root of C in state q and: 
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— The (finite) path of the run that ends in the hole of C 
uses states of rank at least m and ends in the state r. 

— All the (infinite) paths of the run that do not go through 
the hole of C satisfy the parity condition. 

The intuition is that , , (C”) describes the possible runs of A which go 
through the context C. The compositions of two descriptors and then of two 
sets of descriptors are defined below (descriptors which do not agree on the 
state p do not compose): 

{q,n,p) ■ {p,m,r) = (g, min(n, m), r) (descriptor) 

X -Y = {x-y: x&X,y£Y} (set of descriptors). 

The descriptor set of the context composition C ■ D can be computed from 
the composition of the descriptor sets of the contexts C and D: 

,,{C-D)= ,,(C-). ,,(Z?). (1) 

We will also be using descriptors of P( A) -contexts. For a P(i7)-context C 
and fc e N, we define TranSfc(C) to be the set 

U ,,(qX:=F]). 

F:|F|>fc 




A , is a pair R = (R*,R°) of descriptor sets. A schema is meant to 
describe a P(i7)-context, the intuition being that the R° descriptors can be 
obtained from any sets F, while the R* descriptors are obtained from “large” 
sets. A P(A)-context C is said to fc , a schema P if P° C Transo(C) and 
R* C TranSfc(C). The composition R ■ S of two schemas R = (R*,R°) and 
S = {S*,S°) is defined to be the schema 

R-S={R* -S°UR° -S\R°-S°). 

The following obvious fact describes how composition of schemas corresponds 
to composition of P( A) -contexts. 

Fact 45. Let R and S be schemas which are respectively fc-realized by P{X)~ 
contexts C and D. The schema P • S' is fc-realized by the context C ■ D. 

We now proceed to define the notion of an infinitary sequence. The intuition 
here is that an infinitary sequence exhibits the existence of a tree belonging to 
UA.L, which is obtained by composing all the contexts in C: 

Definition 46 A sequence of schemas Ris^^ .if both 

— There is a sequence of P(A’)-contexts C such that for every n G N the schema 
Rn is n-realized by the context C„; and 
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— For some fixed state r G Q and all n G N, there is a state sequence q with 
Qo = r such that: 

1. For i < n, m, G R° for some rank m; 

2. For i = n, {qi, m, qi+i) G R* for some rank m; 

3. For i > n, {qi, m, Qi+i) G R° for some even rank m. 

Lemma 10. UX.L , , , , , ' ' , , / , / ' / / 

Proof 

Consider first the right to left implication. Let R be the infinitary sequence 
with C and r € Q being the appropriate sequence of contexts and starting state 
from Definition 46. Let t G Val(£') be the infinite composition of all successive 
contexts in C: 

t = Co • Cl • C2 • • • • 

Let I? be a context such that {qi,n,r) G ^ ^ (D) for some n G (2{Q). 
This context exists by our assumption on A not having useless states. Using the 
properties of the sequence R postulated in Definition 46, one can easily verify 
that the tree D[t] belongs to VX.L. 

For the left to right implication, consider a tree t in UX.L. From this tree we 
will extract an infinitary sequence. Consider the family of node sets 

{F C {0,1}* : t[X := F] G L}. 

By assumption on t, this family contains sets of unbounded size. Therefore, 
by Lemma 9, it is traced by some increasing sequence v. Consider the sequence 
C of contexts, where Ci is obtained from the tree t\vi by placing the hole in the 
node corresponding to One can verify that the sequence of schemas 

Rt = { , , (C*),TranSi(C*)), 

along with r = qj, is infinitary. □ 

Although infinitary sequences characterize the unboundedness of L, they are 
a little hard to work with. That is why we use a special type of infinitary se- 
quence, which nonetheless remains equivalent to the general case (cf. Lemma 
12). Consider a very simple schema R which consists of two loops in R° and a 
connecting descriptor in R*: 

R={R°,R*) where = {(g, A:, g), (p, m,p)| and R* = {{q,n,p)}. 

We say the pair of states (q,p) used above is ^ ^ if the sequence R 

constantly equal R is infinitary, for some choice of ranks k, m and n. Note that 
in this case, the rank m must be even. 

Lemma 11. ^ ^ ^ , , , ■ , > • 

Proof 

For i G N, consider the set Ai of triples 

((qi,m,pi), (q 2 ,n 2 ,P 2 ), (93,^3, Ps)) G (Q x f2(Q) x Qf 
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such that for some P(i7)-context C: 

- (q3,n3,P3) G Transo(C); 

- {q2,ri2,P2) & TranSi(C'). 

Using a dynamic algorithm, the set Ai can be computed in time polynomial 
on i and the size of the state space Q. By a pumping argument, one can show 
that the pair {q^p) is inflatable if and only if 

{{q,ni,q), (q,n2,p), (p,n3,p)) G A\q\+i for some even ns. 

□ 

We now proceed to show Lemma 12, which shows that one can consider 
inflatable pairs instead of arbitrary infinitary sequences. 

Lemma 12. , , , , ' , , , , ' • > 

Proof 

An inflatable pair is by definition obtained from an infinitary sequence, hence 
the right to left implication. For the other implication, consider an infinitary 
sequence R along with the appropriate sequence of contexts C. With every 
two indices i < j, we associate the schema R[i,j] obtained by composing the 

schemas Ri Rj-i- Since there is a finite number of schemas, by Ramsey’s 

Theorem [11] there is a schema R and a set of indices / = {ii < Z2 < • • • } C N 
such that R[i,j] = R for every i < j in I. Naturally, in this case R ■ R = R 
and, by Fact 45, the sequence constantly equal R is an infinitary sequence which 
realizes the sequence of contexts D defined by 

~ C'q+i-1- 

We will now show how to extract an inflatable pair from this sequence. Let q p 
be the relation holding for those states q,p € Q such that {q, m,p) belongs to R° 
for some rank m. Since R - R= R, the relation ^ is transitive. Let {q, m,p) G R* 
be a descriptor used for infinitely many n in clause 2 of Definition 46. We claim: 

— r q' , q' q' and q' ^ q, for some q' £ Q. This follows from transitivity 
of ^ if we take n in Definition 46 to be big enough to find a loop. 

— p ^ p' and {p',m,p') G R° for some p' € Q and even rank m. This is done 
as above. 

Consider finally the sequence of contexts E defined by 
Ei = Di ■ Di+i ■ Di+2 ■ 

By Fact 45, for alH G N the schema R R R = R is z-realized by the context 
Ei. One can easily verify that the sequence E witnesses the fact that {q',p') 
is an inflatable pair. □ 

From Lemmas 10, 11 and 12 we immediately obtain: 






Theorem 47 



VX.ip, 
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Note that the appropriate algorithm is in fact polynomial in the size of a 
parity automaton recognizing ij). 



5 Closing Remarks 

The results in this paper can only be thought of as initiating research regarding of 
the bounding quantifier: we have not shown satisfiability decidable for the whole 
logic. The Theorems 43 and 47 can thus be improved by showing satisfiability 
decidable (or undecidable) for larger fragments than the ones considered above. 
Moreover, a better complexity assessment for Theorem 43 would be welcome. 
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Abstract. This paper examines two players’ turn-based perfect-infor- 
mation games played on infinite graphs. Our attention is focused on the 
classes of games where winning conditions are boolean combinations of 
the following two conditions: (1) the first one states that an infinite play 
is won by player 0 if during the play infinitely many different vertices were 
visited, (2) the second one is the well known parity condition generalized 
to a countable number of priorities. 

We show that, in most cases, both players have positional winning 
strategies and we characterize their respective winning sets. In the special 
case of pushdown graphs, we use these results to show that the sets of 
winning positions are regular and we show how to compute them as well 
as positional winning strategies in exponential time. 



1 Introduction 

Two-player games played on graphs have attracted a lot of attention in computer 
science. In verification of reactive systems it is natural to see the interactions 
between a system and its environment as a two-person game [19,9], in control 
theory the problem of controller synthesis amounts often to finding a winning 
strategy in an associated game [1] . 

Depending on the nature of the examined systems various types of two-player 
games are considered. The interactions between players can be turn-based [23, 19] 
or concurrent [7,8], finite like in reachability games or infinite like in parity 
or Muller games, the players can have perfect or imperfect information about 
the play. Moreover, the transitions may be deterministic or stochastic [6,8] and 
finally the system itself can be finite or infinite. 

Another source of diversity comes from players’ objectives, i.e. winning con- 
ditions. 

Our work has as a framework turn-based perfect information infinite games 
on pushdown graphs. The vertices of such graphs correspond to configurations 
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of a pushdown automaton and edges are induced by push-down automaton tran- 
sitions. The interest in such games comes, at least in part, from practical con- 
siderations, pushdown systems can model, to some extent, recursive procedure 
calls. On the other hand, pushdown graphs constitute one of the simplest class 
of infinite graphs that admit non trivial positive decidability results and since 
the seminal paper of Muller and Schupp [14] many other problems are shown to 
be decidable for this class [2, 13, 5, 18, 3, 22, 4, 17]. 

Let us describe briefly a play of such a game. The set of vertices is parti- 
tioned into two sets: vertices belonging to player 0 and vertices belonging to his 
adversary 1. Initially, a pebble is placed on a vertex. At each turn the owner 
of the vertex with the pebble chooses a successor vertex and moves the pebble 
onto it. Then the owner of this new vertex proceeds in the same way, and so on. 
The successive pebble positions form an infinite path in the graph, this is the 
resulting play. 

In this framework, different objectives have been studied. Such an objective 
is described in general as the set of infinite plays that are winning for player 0, 
and it is called a winning condition. A lot of attention has been given to the case 
where this set is regular, which gives rise to Muller and parity winning conditions 
[23, 22, 19] which lie on the level Z\2 of the Borel hierarchy. However, recently 
Cachat et al. [5], presented a new winning condition of Borel complexity A3 which 
still remains decidable. This As-condition specifies that player 0 wins a play if 
there is no vertex visited infinitely often. Yet another condition, ^ ^ ^ ^ ^ ^ , 

was introduced by Bouquet et al. [3]. The unboundedness condition states that 
player 0 wins a play if the corresponding sequence of stack heights is unbounded. 
Obviously the conditions of [5] and [3] are tightly related, if no configuration of 
the push-down system is visited infinitely often then the stack is unbounded. The 
converse can be established as well if the winning strategies are memoryless, i.e. 
do not depend on the past. 

In this paper, we first transfer the condition of [3] to arbitrary infinite graphs 
of finite degree. In the context of arbitrary infinite graphs we examine i 
condition which states that a play is won by player 0 if the pebble visits an 
infinite number of different vertices. Obviously for the particular case of push- 
down graphs this gives the same condition as [3]. In fact we go a step further 
and consider the games whose winning conditions are boolean combinations of 
Exploration condition and of the classical parity condition. We note respectively 
I U - and I n . the games obtained by taking the union and the 
intersection of Exploration and Parity conditions. 

We also consider a particular extension of the classical Parity condition to 
the case with an infinite number of priorities and denote it ^ (see also 
[11] for another approach to parity games with an infinity of priorities). 

We prove the following results in the context of the games over any infinite 
graphs: 

— Both players have positional winning strategies for the game with the win- 
ning condition 1 U ^ , including the case where there is an infinite 
number of priorities. 
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~ In the case where there are finitely many priorities, player 1 has also a 
winning positional strategy in the game where the winning condition for 
player 0 is of type i n . . Moreover, we can easily characterize the set 
of winning positions of player 0. 

Even if general results concerning winning strategies over arbitrary infinite 
graphs are of some interest we are much more interested in decidability results 
for the special case of pushdown graphs. In the case where the game graph is a 
pushdown graph, we prove for both types of games i U ^ and i n 
that the sets of winning configurations (positions) for player 0 (and also for player 
1) are regular subsets of QF* where Q is the set of states of pushdown system 
and r is the stack alphabet. We provide also an algorithm for computing a Biichi 
automaton with l'5l +1^1) states recognizing those winning sets, where d is 
the number of priorities of the underlying parity game and Q and F are as 
stated above. Moreover, we show that for both games and both players, the 
set of winning positional strategies is regular and recognized by an alternating 
Biichi automaton. In the case of the i U ^ game, this automaton has 
0{d\Q\^ + |E|) states whereas in the case of the i n > ^ game, it has 
0(d^|Qp + d|E|) states 

These results constitute an extension of the results of [5,3,22,18,20]: The 
papers [22, 20, 18] examine only , conditions with a finite number of prior- 
ities for pushdown games. Bouquet et al. [3] were able to extend the decidability 
results to the games with the winning condition of the form ' or 

I , i.e. union and intersections of Biichi condition with Exploration 

condition. However this class of conditions is not closed under boolean opera- 
tions (intersecting Biichi and co-Biichi conditions with an Exploration condition 
is not in this class) . In our paper we go even further since we allow boolean com- 
binations of I conditions with parity conditions. Since parity conditions, after 
appropriate transformations, are closed under boolean operations we show in fact 
that it is decidable to determine a winner for the smallest class of conditions 
containing Exploration and Biichi conditions and closed under finite boolean 
operations. 

For computing the winning sets and the winning strategies, we make use of 
tree automata techniques close to the one originated in the paper of Vardi [20] 
and applied in [16, 12]. This is a radical departure from the techniques applied 
in [21,22,3, 18] which are based on game-reductions. 

This paper is organized as follows. In the first part, we introduce some basic 
definitions and the notions of Exploration and Parity games. In the second part, 
we prove the results concerning the winning strategies for the games i U 
. go and I n . , and make some comments about the . oo game. In 
the third part, we describe the construction of automata computing the winning 
sets and the winning positional strategies. Due to space limitation, most proofs 
are omitted and can be found in the full version [10]. 
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2 Parity and Exploration Games 

In this section, we present basic notions about games and we define different 
winning conditions. 

2.1 Generalities 

The games we study are played on oriented graphs of finite degree, with no 
dead-ends, whose vertex set is partitioned between the vertices of player 0 and 
the vertices of player 1. Such a graph is called an arena. At the beginning of 
a play, a pebble is put on a vertex. During the play, the owner of the vertex 
with the pebble moves it to one of the successors vertices. A play is the infinite 
path visited by the pebble. A winning condition determines which player is the 
winner. Here follows the formal description of these notions. 

Let G = (V,E) be an oriented graph with the set A C H x F of 
edges. Given a vertex v, vE denotes the set of successors of v, vE = {w G V : 
(v,w) € E}, whereas Ev is the set of predecessors of v. For a set H C E of 
edges, Dom{E[), the domain of iL, denotes the set of the vertices adjacent to 
edges of H. 



, ^ ^ An arena is a tuple {V,Vq,Vi,E), where (V,E) is a graph of 

finite degree with no dead-ends and {Vq, Vi) is a partition of V. Let i € {0, 1} be 
a player. Vi is the set of vertices of player i. We will often say that G = (V,E) 
itself is an arena, when the partition (Vo,Vi) is obvious. An infinite path in G is 
called a play, whereas a finite path in G is called a finite play. When the vertices 
of G are labeled with natural numbers with a map (f> : V ^ N, G is said to be a 
parity arena. 



... A winning condition determines the winner of 
a play. Formally, it is a subset Vic C 1^“ of the set of infinite plays. A game is 
a couple (G, Vic) made of an arena and a winning condition. Often, when the 
arena G is obvious, we will say that Vic itself is a game. A play p G V‘^ is won 
by player 0 if p G Vic. Otherwise, if p ^ Vic, it is said to be won by player 1. 
Vic is said to be ^ ^ ^ ^ ^ ^ . if V^* Vic = Vic. 



, ^ I , I ' ’ ' / / - ; ; ; ' ' / Depending on the finite path 

followed by the pebble, a strategy allows a player to choose between a restricted 
number of successor vertices. Let i G {0, 1} be a player. Formally, a strategy for 
player z is a map u, which associates to any finite play vq - • - Vn such that Vn G Vj 
a nonempty subset a{vo---Vn) Q VnE. A play p = (r’n)neN G is said to be 
consistent with a if, for any n such that G V^i, Vn+i G (t(uo • • • Vn)- Given a 
subset X QV oi the vertices, A strategy for player i is said to be winning the 
game (G, Vic) on X if any infinite play starting in X and consistent with this 
strategy is won by player i. If there exists such a strategy, we say that player i 
wins (G, Vic) on X.li X = V, we simply say that i wins (G, Vic). The winning 
set of player i is the greatest set of vertices such that i wins Vic on this set. 
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^ ^ , With certain strategies, the choices advised to the player 

depend only on the current vertex. Such a strategy can be simply described by 
the set of edges it allows the players to use. ct C if is a positional strategy for 
player i in the arena G if there is no dead-end in the subgraph (Dom{a),a) 
induced by a and a does not restrict the moves of the adversary: if r; G V\-i fl 
Dom{a) then {n} x vE C a. Let X C V he a subset of vertices. If Dom{a) = X, 
a is said to be defined on X. We say that a player wins positionally a game Vic 
on X if he has a positional strategy winning on X . 

, ^ , Let X C V he a subset of vertices and F C E a subset 

of edges. G[X] denotes the graph {X,E n X'^) and G[X,F] denotes the graph 
{Dom{F) f] X,F n X'^). When G[X] or G[X,F] is an arena, it is said to be a 
subarena of G. X is said to be a trap for player i in G if G[X] is a subarena and 
player i can’t move outside of X, i.e. Vu G V n 14, vE C X. 



2.2 Winning Conditions 

Let G = {V,Vo,Vi,E) be an arena and X C V. We define various winning 
conditions. 



X Player 0 wins if the pebble visits X at least once. The 
corresponding winning condition is ^ ^ (W) = V*XV‘^. The winning set 

for player 0 is denoted by Atto{G, X) or Atto{X), when G is obvious. Symmetri- 
cally, we define Atti{G, X) and Atti{X), the sets of vertices where player 1 can 
attract the pebble to X. Note that for this game, both players have positional 
winning strategies. 



. ^ , X Player 0 wins the trap game in X if the 

pebble stays ultimately in X. The winning condition is X = The 

dual game is the Biichi game to X, where player 0 wins if the pebble visits X 
infinitely often. The winning condition is^ (V) = {V*X)'^ . 

I ^ ^ . , This is a game over an infinite graph, where player 0 wins a 

play if the pebble visits infinitely many different vertices. The winning condition 
is I = {uot’i • • • G V“ I the set {t>o, . . .} is infinite}. 

The exploration condition is an extension of the ^ ^ ^ ^ ^ ^ condition 

introduced in [3]. The Unboundedness condition concerns games played on the 
configuration graph of a pushdown system. On such a graph, the set of plays is 
exactly the set of runs of the underlying pushdown automaton, and 0 wins a play 
if the height of the stack is unbounded, which happens if and only if infinitely 
many different configurations of the pushdown automaton are visited. 

The exploration condition is also closely related to the Ua-condition consid- 
ered in [5], which states that 0 wins a play if every vertex is visited finitely often. 
Notice that such a play is necessarily also winning for the exploration condition, 
but the converse is not true. However, given an arena, it is easy to see that 
each player has the same positional winning strategies for both games. Since 
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the Exploration game is won positionally by both players (cf. Proposition 1), it 
implies both games have the same winning positions. Hence, in that sense, the 
Explosion game and the S^-game introduced in [5] are equivalent. 

^ , G is a parity arena equipped with a priority mapping (j) : V 

Player 0 wins a play if there exists a highest priority visited infinitely often and 
this priority is even, or if the sequence of priorities is unbounded. Thus, the 
winning condition is 

' oo = : lim G {0, 2, . . . , +oo}} 

leN 

where limjgpij 4>{vi) = limjgfj sup^>j denotes the limit sup of the infinite 

sequence of visited priorities. If G is labeled by a finite number of priorities, i.e. 
if there exists d G N such that (p : V [0, d], we write also the winning condition 
as . In this case, a classical result [9, 19,23] states that both players win 
this game positionally. 



3 Playing the Games Exp U Parity^ and Exp n Parity^ 

In this section we study the winning strategies for the games i U ^ ^ and 
I n ' d- III di6 c^se of the game i U > we show that each player 
has a positional strategy, winning on the set of his winning posiitons. Concerning 
the game i H ^ we show that this remains true for player 1, and we 
exhibit an arena where no winning strategy of player 0 is positional. However, 
we give a characterization of the winning set of player 0. 

3.1 The Game Exp U Parity^ 

G is a parity arena equipped with 0 : P ^ N. 

Proposition 1. , , ' ■ Exp U Parity ^ ^ ^ 



^ ^ , It is crucial to observe that i U . b® expressed as the limit 

of a decreasing sequence of winning conditions: 

' U , ^ = Pi Vicn , 

neN 



where 



Vicn= , , ({n+l,n + 2,...})U .3 ^. 

Moreover, each game (G, ViCn) is won positionally by players 0 and 1 on their 
winning sets and P\X„. It is easy to establish that player 1 wins positionally 




62 



H. Gimbert 



(G,n«^*c„) on For winning positionally rin^*c„ on 

Pin player 0 can manage to play in such a way that, as long as the pebble 
stays in {0, 1 , . . . ,n}, the play is consistent with a winning strategy for Vicn- 
Then, if the pebble stays bounded in some set {n,n+ 1, . . .}, the play is won for 
condition nm>n C ' oo- If Ihs pebble leaves every set {0, . . . , n}, then 

the play visits infinitely many different vertices and the play is won for i by 
player 0. □ 

Since the i game is a special case of the i U . game where all the 
vertices are labeled with priority 1, we get the following corollary. 

Corollary 1. , , ' ■ Fxp ^ ^ ^ , , , ' , 

3.2 The Game Parity^ 

A natural question that arises is whether the players have some positional win- 
nign strategies for the . ^ game. Notice that i C Parity in the special 
case where, for every priority d, is finite. Indeed, any play visiting in- 

finitely many different vertices will visit infinitely many different priorities. 

Hence, in this special case, by Proposition 1, the game Parity is won posi- 
tionally by both players. This is not true anymore if (f>~^{d) is infinite for some 
d. Consider the example given on Fig. 1. The circles are the vertices of player 0 
and the squares those of player 1. Player 0 wins Parity^^ from everywhere but 
has no positional winning strategy. 




Fig. 1. Player O’s strategy must recall the highest odd vertex reached by player 1 in 
the lower row in order to answer with a higher even vertex in the second row 



It is interesting to note that if the winning player is determined by the lowest 
priority visited infinitely often rather than by the greatest one, then both players 
have positional winning strategies, even if infinitely many priorities are assumed 
[ 11 ]. 

3.3 The Game Exp D Parity^ 

The analysis of the i n . ^ game extends the results of [23]. In this section, 
G is a parity arena equipped with (j) : V [0, d]. 
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Proposition 2. , f 1 , , , , , , ' ■ Exp n Parity ^ ^ 



^ ^ , Without loss of generality, we can assume that player 1 wins everywhere. 
The proof is by induction on d. 

If d = 0, it is impossible for player 1 to win any play and his winning set 
is empty. If d is odd and d yf 0, let W he the attractor for player 1 in the set 
of vertices coloured by the maximal odd priority d. Since V\W is a trap for 
player 1 coloured from 0 to d — 1, and by inductive hypothesis, player 1 can 
win positionally (G[P\IT], i n ^ with some strategy <Jy\w To win, 
player 1 shall use cry\w inside V\W and shall attract the pebble to a vertex of 
colour d when it reaches the set W. That way, either the play stays ultimately 
in V\W and some suffix is consistent with ay\y/ or it reaches the odd priority 
d infinitely often. In both cases, player 1 is the winner. 

The case where d is even is less trivial. It is easy to prove that there exists 
the greatest subarena of G where player 1 wins positionally. It remains to prove 
that this subarena coincides with the whole arena. □ 

It may happen that player 0 has a winning strategy from every vertex but 
he has no positional winning strategy. Such an example is given by Fig. 2. 




Fig. 2. To win the Exp Pi Parity 2 game, player 0 has to visit new vertices arbitrarily 
far to the right hand side of the arena and has also to visit the unique vertex of color 
2 infinitely often 



Nevertheless, we can characterize 
1 n . ^ from every position: 


the arenas in which player 0 wins the game 


Proposition 3. 


G={V,E) . 


, 0,d>0 D 




- d 


, ' 0 , , ' . {G, Exp n Parity 


V ‘ , y / 


' , , ,• 


G[W]‘, , ,, . , , , 0 , d - 1 , 


• Case d even: 


' ' 0 , , 


^ (G[TT], ExpnParity^_]^) ^ . (G,Exp) 


- ^ . 


r , 


{G, Attraction{D)) ^ ^ V\W 


• Case d odd: , 




. {G,Trap{W)) 


<^Trap(W) , - , 


11 


(G[IF, crT^op(w)], Exp n Parity 



The conditions of Proposition 3 are illustrated on Fig. 3. 

Note that winning the game (G[IF, fT7’j.ap(w)], ' H . means 
that player 0 has a strategy aw winning the game (G[TT], i n ’ d-i) 
which advises player 0 to play moves consistent with the positional strategy 

0"Trap(W)- 
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Odd Case Even Case 





Fig. 3. Conditions of Proposition 3 



^ ^ , We sketch the proof of the direct implication. In the case where d is even 
this proof is simple. Consider W = V\Atto{D). Since V\W is a trap, player 0 
wins (G[C\W], I n ^ The other claims are trivially true. 

The case where d is odd is more tricky. We establish first that the family of 
subarenas of G where Proposition 3 holds is closed by arbitrary union, then we 
prove that the maximal arena of this family is necessarily G itself. 

We sketch the proof of the converse implication. We shall construct a strategy 
(7(3 for player 0 winning the game (G, i n . This construction depends 
on the parity of d. 

d - - By hypothesis, player 0 has a positional strategy cfTrap(w) winning the 
game {G,Trap{W)) and a strategy asub winning the game {G\W,aTrap(w)]i 
' n ' d-i)- The strategy a a is constructed in the following way: 

• If the pebble is not in W, player 0 plays according to her positional strategy 

f^TrapiW)- 

• If the pebble is in W, player 0 uses her strategy asub in the following way: Let 
p be the sequence of vertices visited up to now and let p' be the longest suffix 
of p consisting of vertices of W. Player 0 takes a move according to asub{p')- 

The strategy aa is winning for the game (G, i n . Indeed, since 
a Sub is a strategy in the arena G\W,aTrap{w)]} all moves consistent with a a 
are consistent with <JTrap{w) - Hence, the play is ultimately trapped in W and is 
ultimately consistent with awi thus won by player 0. 

d ^ By hypothesis and by Corollary 1, player 0 has a positional strategy 
o'Exp Q E winning (G, Exp). She has also a positional strategy oau Q E winning 
(G, Attraction{D)) on V\W and a strategy asub winning the game (G[IP], i n 

' d-l)- 

(7(3 is constructed in the following way. At a a given moment player 0 is in 
one of the three playing modes: , , > ■ .or ^ ■ It can change 

the mode when the pebble moves to a new vertex. Player 0 begins to play 
in I ^ ^ mode. Here follows the precise description of the strategy ac, 

summarized by Fig. 4. 
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• The playing mode i , can occur wherever the pebble is. Player 0 

plays according to her positional strategy <Jex^- When a new vertex v is 
visited for the first time the mode is changed either to . . mode if v G W 

or to ^ ^ mode if v ^ W. 

• The playing mode ^ ^ can occur only if the pebble is not in W. Player 

0 plays according to her positional strategy dAtt- When a vertex of priority 
d is eventually visited, the playing mode is switched to i ^ ^ . 

• The playing mode . . can occur only if the pebble is in W. Player 0 plays 

using her strategy asub in the following way. Let p be the sequence of vertices 
visited up to now and p' the longest suffix of p consisting of vertices of W. 
Then 0 takes a move according to crsub{p')- If the pebble leaves W, the 
playing mode is switched to i ^ ^ . 



Reaching colour d (Attraction aAtt 



v^W 7 



— »-| Exploration aExp^ 



Discovering a 



new vertex v 




Going out of W 



vGW7 



Fig. 4. Rules of transition between playing modes 



Notice that, by definition of aAtt and OExp, it is not possible that an infi- 
nite play consistent with ac stays forever in the playing modes or 

< ^ ^ . Hence, such a play can be of two different types. Either the pebble 

stays ultimately in the playing mode Sub or it goes infinitely often in the modes 
I ^ ^ and , , ■ I’^ the first case, it stays ultimately in W and the 

play is ultimately consistent with asub- In the second case, the pebble visits 
infinitely often the even priority d and discovers infinitely often a new vertex. In 
both cases, this play is won by player 0 for the i n ^ ^ condition. □ 



4 Computation of the Winning Sets and Strategies on 
Pushdown Arenas 

In this section, we apply our results to the case where the infinite graph is the 
graph of the configurations of a pushdown automaton. And we get an algorithm 
to compute the winning sets. Moreover, in all cases except for player 0 in the 
game i n ' di can also compute winning positional strategies. 
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A pushdown system is a tuple V = {Q, F, A, _L) where Q is a finite 
set of control states, A is a finite stack alphabet, _L is a special letter called the 
stack bottom, _L ^ A and A C Q x {F U {_L}) x (A U {— 1}) x Q is the set of 
transitions. 

The transition {q,a,(3,r) G Z\ is said to be a ^ ^ ^ ^ ^ ii P G F and 

a ^ ^ ^ ^ ^ if /3 = — 1. In both cases, it is said to be an a-transition and 

a {q, a)-transition. Concerning _L, we impose the restriction that there exists no 
pop _L-transition. Moreover, we work only with complete pushdown systems, in 
the sense that, for every couple {q, a) G Q x {F LI {-L}), there exists at least one 
{q, o;)-transition. 

Notice that, in the sense of language recognition, any pushdown automaton 
is equivalent to one of this kind, and the reduction is polynomial. 

A configuration of 7^ is a sequence qj, where q € Q and 7 G T* . Intuitively, q 
represents the current state of V while 7 is the stack content above the bottom 
symbol _L. We assume that the symbols on the right of 7 are at the top of the 
stack. Note that _L is assumed implicitly at the bottom of the stack, i.e. actually 
the complete stack content is always Ty. 

The set of all configurations of V is denoted by Vp. Transition relation Ep 
over configurations is defined in the usual way: Let q'ja, where q G Q,"f € 
F* and a G T, be a configuration. 

• (gya, ry) G Ep if there exists a pop transition {q, a, — 1, r) G A, 

• (qja,rjaP) G Ep if there exists a push transition (q,a,P,r) G A . 

Let qe be a configuration with empty stack. Then 

• {qe,rP) G Ep if there exists a push transition (g, T,/3, r) G A . 

We shall write gy — ^ ry' to express that a transition ^ G of the pushdown 
automaton corresponds to an edge ( 97 , ry') G Ep between two configurations. 
The graph G-p = (Vp, A-p) is called the , ' of 7^. 

If Q is partitioned in {Qo,Qi), this partition extends naturally to the set of 
configurations of V and we Gp is an arena. Moreover, when the control states 
Q are labeled by priorities with a map (j) : Q [0,d], this labeling extends 
naturally to Vp by setting (j>{qj) = PW)- Gp is then a parity arena. 

. , , ^ ^ . . , . ^ With any subset cr C Ep of the edges of a 

pushdown arena we associate a tree : F* ^ 2"^ with vertices labeled by sets 
of transition of V. This construction is illustrated by Fig. 5. 

A vertex of the tree is a stack content of 7^. A transition 6 G A belongs to 
the set labeling a vertex y G 7^* if there exists a state q G Q and a configuration 
ry' such that gy — ^ ry' and (gy, ry') G a. Such a tree is called the ^ ^ , 

of a. Notice that the transformation a ^ is one-to-one. If cr is a strategy for 
player i, we call T^. a ^ ^ for player i. 

The next theorem states that the languages of positional winning strategies is 
regular. Thus, we can build a Biichi alternating automaton of size 0{d\Q\‘^+ |7^|) 
which recognizes the language of couples (cro, cti) such that ai is a winning posi- 
tional strategy for player i and the domains of cro and ai constitute a partition of 
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Fig. 5. A finite subset of E-p and its coding tree. Only the labels of the vertices 
{e, a, P, aa, a/3, /3a, /3/3} are represented. Other vertices of the coding tree are labeled 
with 0 

V-p. In the case of the . ^ and i U > ^ games, Proposition 1 establishes 
that this language is non-empty. Hence it is possible to compute a regular tree 
(crojCTi) of size +1^1). This regular tree can be seen as the description of 

a couple of winning stack strategies for both players. This kind of strategy has 
been defined in [ 21 ]. 

Theorem 1. i , , , ^ . Vic G {Parity ExpUParity^;, ExpOParity^} 

/ / ''ill I'll' 

!. ,, ^Vic,* o(d|g|2+V|), , , 

^ ^ , The construction of Ayic,i uses techniques close to the one of [20,16]. 
Unfortunately, we couldn’t manage to use directly the results of those papers 
about two-way tree automata, because we don’t know how to use a two-way 
automata to detect a cycle in a strategy tree. 

Our aim is to construct a tree automaton recognizing a tree t : F* ^ 2^ iS 
there exists a winning positional strategy a such that t = T^. In fact we shall 
rather construct a Biichi alternating automaton recognizing the complement of 
the set {Tcrjcr winning positional strategy }. First of all it is easy to implement 
an alternating automaton verifying if the tree t is or is not a strategy tree. It is 
less trivial to construct the automaton checking if a positional strategy a C Ep 
is winning or not. However, it can be expressed by a simple criterion concerning 
the cycles and the exploration paths of the graph {Dom{a),a) induced by a. 
Those criteria are summarized in Table 1. 

We have to construct automata checking each condition of Table 1. They are 
derived from an automaton detecting the existence of a special kind of finite 
path called a . , .A jump between two vertices with the same stack 7 is a 
path between those vertices, that never pops any letter of 7 (see Fig. 4). 
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Table 1. Characterization of winning positional strategies 



Winning Condition 


i 


Condition on cycles 


Condition on exploration paths 


Parity 


0 


Even 


Even 




1 


Odd 


Odd 


Exp U Parity^ 


0 


Even 


No condition 




1 


Odd 


No exploration path 


Exp n Parity^ 


0 


No cycle 


Even 




1 


No condition 


Odd 




Fig. 6. A jump from 57 to r'y in a strategy tree 

This kind of path is interesting since a cycle is simply a jump from a vertex to 
itself, and because the existence of an exploration path of priority c is equivalent 
to the existence of one of the two kinds of paths illustrated on Fig. 7. 

Due to the high computational power of alternation, it is possible to construct 
automata checking the existence of jumps and detecting the kinds of paths of 
Fig. 7, with only 0{d\Q“^ \ + |T|) control states. □ 

, ^ , , , , . ; ; ; ' ' / Uslng the automata recognizing languages of 

winning positional strategies, it is possible to recognize the language of winning 
positions. For each player i, Theorem 2 leads to an EXPTIME procedure to 
compute a regular tree F* 2^ of exponential size that associates with a stack 
7 the set {q € Q : is winning for player i}. Once computed, deciding if a 

given position is winning for player i can be done in linear time. 

Theorem 2. , . f _ . . Vic G {Parity^, 

Exp U Parity^;, Exp n Parity^;}, F* ^ 2^ 

7 , {9 G <3 : 97 , 0 ^ , - , , , , ■ 

20 (dlQlUlri) ^ ^ , Vic G {Parityrf,ExpUParityrf} , . V Vic = 

Exp n Parity^ 

^ ^ , For the games . ^ and i U ^ this Theorem is a direct corol- 
lary of Theorem 1. In fact, we can build a Biichi alternating automaton which 
recognizes the language of couples (ao,cri) such that cr^ is a winning positional 
strategy for player i and the domains of ag and cti are a partition of Vp. The 
winning sets are then obtained by projection, which requires to transform this 
alternating automaton to a non-deterministic one and leads to an exponential 
blowup of the state space [15]. 
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Fig. 7 . The dotted arrows are jumps of priority less than c. The top-down regular 
arrows are push transitions, while the down-top ones are pop-transitions. On the left 
hand side, infinitely many jumps have priority c. On the right hand side, the upper 
jump, that is a loop, has priority c 



In the case of the i n f ^ game, we use also the characterization of the 
winning sets given by Proposition 3. We define the notion of a winning-proof, 
which is a tree on F* labeled by tuples of subsets of A, and is defined such that 
the existence of a winning-proof in an arena is equivalent to the conditions of 
Proposition 3. Here follows the definition of a winning-proof in a subarena G of 
a pushdown arena G-p- 

In the case where d = 0, it is a strategy tree To-Eip winning the game (G, i ). 

In the case where d> 0 and is even, it is a tuple Td = {T' ,Ta^^,T„^^^,Td-i) 
where T' is the coding tree of a subarena G' of G, is a strategy tree winning 
the game (G, i ), is ^ strategy tree winning the game (G, ^ ^ (D)) 

on Dom{G') and Td-i is a (d — l)-winning proof in G' . 

In the case where d is odd, it is a tuple Td = {T' ,T„^^^,Td-i) where T' is 
the coding tree of a subarena G' of G, is a strategy tree winning the game 
(G, {Dom{G'))) and Td-i is a (d — l)-winning proof in G'. 

Each one of those 0{d) conditions can be verified with an alternating au- 
tomaton with G(d|Qp -I- \r\) states. The corresponding automata constructions 
are very close to the ones of Theorem 1. Hence, the language of d- winning proofs 
is regular and recognized by an alternating automaton with G(d^|(3p -I- d|T|) 
states. 

As in the positional case, by projection, we obtain the desired non- 
deterministic automaton with 1*^1 +'^1^1) states. □ 



, -r , ^ ^ We thank Wieslaw Zielonka and Olivier Serre for some en- 

lightening discussions on games on pushdown graphs, and the anonymous referee 
for their careful comments. 
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Abstract. In this paper we present a method for integrating equational 
reasoning into instantiation-based theorem proving. The method em- 
ploys a satisfiability solver for ground equational clauses together with 
an instance generation process based on an ordered paramodulation type 
calculus for literals. The completeness of the procedure is proved using 
the the model generation technique, which allows us to justify redun- 
dancy elimination based on appropriate orderings. 



1 Introduction 

The basic idea of instantiation-based theorem proving is to combine clever gen- 
eration of instances of clauses with propositional satisfiability checking. Thus, it 
seems to be promising to exploit the impressive performance of modern proposi- 
tional SAT technology in the more general context of first-order theorem proving. 
Accordingly, we have seen several attempts recently at designing new first-order 
prover architectures combining efficient propositional reasoning into instance 
generation scenarios, cf. [4, 11, 5, 15, 3, 12, 9, 13] among others. 

Integration of efficient equational reasoning into such systems has been a 
challenging problem, important for many practical applications. In this paper 
we show how to integrate equational reasoning into the instantiation framework 
developed in [8] . In [8] we presented instance generation inference systems based 
on selection from propositional models, together with a notion of redundancy 
based on closure orderings, and showed their refutational completeness. 

Our approach of integrating equational reasoning into this framework aims 
to preserve attractive properties of the instantiation process, in particular: 

1. no recombination of clauses, 

2. the length of clauses does not grow, 

3. optimal efficiency in the ground case, 

4. semantic selection, 

5. redundancy criteria. 

As in our previous work, we will use in a modular fashion a satisfiability 
solver for ground clauses. Let us remark that in the presence of equality such 
solvers have received considerable attention and very efficient implementations 
are available, see e.g., [7]. We also use selection based on models of ground clauses 
to guide the theorem proving process. Another ingredient of our procedure is a 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 71—84, 2004. 
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paramodulation-based calculus for reasoning with sets of literals. As we show, 
with the help of such a calculus it is possible to generate suitable instances of 
clauses, witnessing unsatisfiability of the selected literals on the ground level. For 
the completeness proofs we use the model generation technique (see [1,2,14]) 
which allows us to justify redundancy elimination based on entailment from 
smaller clauses, where “smaller” refers to suitable closure orderings. 

Let us briefly compare our method with two other approaches, we aware 
of, that deal with equational reasoning in the context of instantiation-based 
theorem proving. In [13] and [16] an equational version of the disconnection cal- 
culus is presented, however in their method, literals from different clauses are 
recombined into a new clause when (superposition- type) equational steps are 
done. Our instance generation inference systems entirely avoid that recombina- 
tion which, according to [11], can be a major source of inefficiency in resolution- 
and superposition-type inference systems. In [15], Plaisted and Zhu consider an 
extension of their OSHL calculus with equality. It is based on paramodulation 
with unit clauses, but for non-unit clauses it requires the generally less efficient 
Brand’s transformation method. Our method is applicable for arbitrary first- 
order clauses with equality. 



2 Preliminaries 

We shall use standard terminology for first-order clause logic with equality. The 
symbol is used to denote formal equality. By we denote entailment in 
first-order logic with equality. A , is a possibly empty multiset of literals 
Li, usually written iiV...VL„;a, , being either an equation s ~ t or a 
disequations m u built from terms s, t, u, and v over the given signature. We 
consider ~ (and ^f) as symmetric syntactically, identifying s ~ t with f ~ s. We 
say that C is a sub-clause of D, and write C C U, if C is a sub- multiset of D. 
The empty clause, denoted by □, denotes falsum. If L is a literal, L denotes the 
complement of L. 

A substitution is called a ^ ^ of an expression (a term, literal, 

or clause) if at least one variable of the expression is mapped to a non-variable 
term. We call D , than C if Ct = D for some proper instantiator 

r of C. ^ ^ are injective substitutions, sending variables to variables. 

Two clauses are ^ ^ of each other if one can be obtained from the other by 
applying a renaming. 

Instance-based theorem proving requires us to work with a refined notion of 
instances of clauses that we call closures. A ^ is a pair consisting of a clause 
C and a substitution a written C ■ a. We work modulo renaming, that is, do 
not distinguish between closures C ■ a and D ■ t ior which C is a variant of D 
and Ca is a variant of Dt. Note the distinction between the two notations Ca 
and C ■ (7. The latter is a closure ^ ^ ^ , the former which is a clause. A 

closure is called , ^ ^ . if it represents a ground clause. A (ground) closure C ■ a 
is called a (1 ^ , , of a set of clauses S' if C is a clause in S, and then 

we say that the closure C • cr is a ^ ^ , , ( - > , 
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Inference systems and completeness proofs will be based on orderings on 
ground clauses and closures. Let >-gr be a total simplification ordering on ground 
terms. We can assume that )^gr is defined on ground clauses by a total, well- 
founded and monotone extension of the order from terms to clauses, as defined, 
e.g., in [14]. We will extend >-gr in two ways to orderings on ground closures. 
The first ordering is >~i, defined in Section 4, and will be used in reasoning with 
the unit paramodulation calculus UP. The second is >~ci, defined in Section 5, 
and will be used in reasoning about instantiations of clauses. 

The (Herbrand) we deal with are sometimes partial, given 

by consistent sets / of ground literals. (As usual, I is called if, and 

only if, I ^ □.) A ground literal L is called ^ ^ . in / if neither I \= L 

nor / ^ L. / is called ^ , if no ground literal is undefined in I. A ground 

clause C is called (or valid) in a partial interpretation / if / ^ C. This 
is the same as saying that J ^ C for each total extension J oi I. C is called 
, , in / if / 1= ^C, or, equivalently, \i J C for each total extension J of I . 
Truth values for closures are defined from the truth values of the clauses they 
represent. 



3 An Informal Description of the Procedure 

Let us first informally describe our instantiation-based inference process for equa- 
tional reasoning. We assume that a satisfiability solver for ground equational 
clauses is given. 

Let S' be a given set of first-order clauses. We start by mapping all variables 
in all clauses in S to a distinguished constant T, obtaining a set of ground 
clauses ST. If ST is unsatisfiable then S is first-order unsatisfiable and we are 
done. Otherwise, we non-deterministically select a literal from each clause in S, 
obtaining a set of literals 

The next natural step, similar to the case without equality, would be to 
consider applicable ordered paramodulation inferences, but instead of generating 
paramodulants to generate corresponding instances of clauses. Unfortunately, 
adding these instances is not sufficient for a solver on ground clauses to detect 
unsatisfiability, as the following example shows. Consider the unsatisfiable set 
of literals S = {f{h{x)) ~ c,h{y) ~ y,f{a) 9^ c}. The only applicable ordered 
paramodulation inference is between the first and the second equation, but the 
resulting instances are the given equations themselves. On the other hand, the 
set of ground literals S'T is satisfiable, so a solver for ground literals can not 
detect the unsatisfiability of S. 

Our approach to this problem is to apply separate first-order reasoning with 
the selected literals . If is first-order satisfiable, then S is satisfiable and we 
are done. Otherwise, we generate relevant instances of clauses from S witnessing 
unsatisfiability of at the ground level. This is done using a paramodulation- 
based system on literals. In particular, relevant instances can be generated by 
propagating substitutions from proofs of the empty clause in such a system. 
Finally, we add obtained instances to S', and repeat the procedure. 
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Let us now modify the previous example and assume that the literals above 
are among the selected ones in some clauses, e.g., 

S = {f{h{x)) ~cy h{h{x)) a, h{y) ~ y, f{a) c} 

= {f(Hx)) - c, h{y) ~ y, /(a) c}. 

We can derive the empty clause from by first paramodulating the second 
literal into the first literal, followed by paramodulation of the result into the 
third literal. Now, from this paramodulation proof we can extract a relevant 
substitution a, which maps x and y to a. Then, the new set of clauses is obtained 
by applying cr to the old clauses: S' = S LI {f{h{a)) ~ c V h{h{a)) a, h{a) ~ 
a]. Now, the set S"_L can be shown to be unsatisfiable by a solver for ground 
clauses, so we conclude that the original set S is first-order unsatisfiable. In the 
case if S' 1. is satisfiable we would continue the procedure with this new set of 
clauses. Let us note that usually the search for the proof of the empty clause 
from the set of literals is done via some kind of saturation process which can 
generate a lot of inferences. But the proof itself usually involves only some of 
them, and as we have seen, we need to propagate only substitutions used in the 
proof. 

We use a solver for ground clauses not only for testing unsatisfiability of S'_L. 
In addition, in the case of satisfiable S'_L, the instantiation process can be guided 
by a model /j_ of S'_L. For this, we restrict the selection of literals to the literals 
L, such that L_L is true in I±. 

Now we overview how we are going to prove completeness of such instantia- 
tion process. First, in Section 4 we introduce a calculus UP for ground closures of 
literals based on ordered paramodulation. We will use this calculus to obtain rel- 
evant instantiations of clauses. Then, in Section 5 we show that if a set of clauses 
is saturated enough, then either it is satisfiable, or otherwise its unsatisfiability 
can be detected by a ground solver. In the subsequent Section 6 we show how to 
obtain a saturated set as a limit of a fair saturation process. The problem of how 
to ensure that a saturation process is fair is considered in Section 7. Up to this 
point we are working with the UP calculus defined on ground closures. Ground 
closures allow us to present completeness proofs and fine grained notions of re- 
dundancy. Nevertheless, from the practical point of view it is infeasible to work 
with each ground closure separately, and therefore in Section 8 we present the 
UPL calculus which is a lifted version of UP. Finally, in Section 9 we consider 
the issue of how to propagate information on redundant closures to the UPL 
calculus. This is done via dismatching constraints. 



4 Unit Paramodulation on Literal Closures 

In this section we introduce an inference system on ground closures of literals, 
based on ordered paramodulation. This system (and its lifted versions) will be 
used to guide our instantiation process as shown in the following sections. 
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Unit-Paramodulation calculus (UP) 



{I ~ r) ■ a L[l'] ■ <j' 
L[r]9 ■ p 






{s ■ T 

□ 



(m) 



where (i) la >-gr ra; (ii) 6 =, , {1,1'); where (i) sr = tr; 

(iii) la = I' a' = l'9p; (iv) I' is not a variable. (ii) p, = , , (s,t). 



An inference in UP is called proper if the substitution 9, {p) is a proper 
instantiator and non-proper otherwise. Let us note that a set of literal closures 
can be contradictory, yet the empty clause is not derivable in UP. 

I , , Consider a set of literal closures £ = {{f{x) ~ b) ■ [a/x], a ~ 

b, f{b) 9 ^ b} and assume that a >-gr b. Then, £ is inconsistent but the empty 
clause is not derivable by UP from £. 



UP . ^ ^ ^ Let R be an arbitrary ground rewrite system and £ be a set of 

literal closures, we denote . r{£) the set of closures L-a £ £ with irreducible 
a w.r.t. R. In order to introduce the notion of UP-redundancy we need the 
following ordering on literal closures. Let >~i be an arbitrary total well-founded 
extension of >-gr from ground literals to ground closures of literals, such that if 
La >gr L'a' then L ■ a >i L' ■ a' . 

Let £ be a set of literal closures. We say that L • a is UP . ^ ^ in £ if for 

every ground rewrite system R oriented by >- gr, and such that a is irreducible 
w.r.t. R we have i? U . R{£L ayi) h Here, £L <jyi denotes the set of all 
closures in £ less than L ■ a w.r.t. We denote the set of all UP-redundant 
closures in £ as TZ\jp{£). With the help of this redundancy notion we can justify 
the following simplification rule. 

Non-proper Demodulation 



{I ~ r) ■ a L[l'\ ■ a' 

L[r]9 ■ a' 

where (i) V = 19, (ii) la >-gr ra, (iii) 0 is a non-proper instantiator, 

(iv) la = l'a', (v) (r) C (Z), (vi) L[l']a' >gr {I — r)a. 

Let us show that non-proper demodulation is a simplification rule, i.e., after 
adding the conclusion of this rule the right premise becomes UP-redundant. 

Lemma 1. ^ - • , - > , , , i • > , , > 

^ ^ , Indeed, let L\r]9 ■ a' be the conclusion of an application of the non- 
proper demodulation rule with the premise (Z ~ r) • cr, L[l'\ ■ a' . Now let i? be a 
rewrite system orientable by > gr such that a' is irreducible w.r.t. R. Since 9 is 
a non-proper instantiator, V = 19, and (r) C (Z) we have that a is also 
irreducible. Therefore, L[l']a' follows from the smaller closures {I ~ r) ■ a and 
L[r]9 ■ a'. 
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Let us show that demodulation with proper unifiers can not be used as a 
simplification rule in general. 

I , , Consider the following closures. 

(1) {g{x) ~ c) ■ [f{d)/x] (3) (/(d) ~ m) • Q 

(2) {9{fi.x)) ~ c) • [d/x] (4) {g{m) ^ c) ■ [] 

We can derive the empty clause by UP inferences from (2), (3) and (4). But 
if we simplify (2) by demodulation with (1) we obtain a tautological closure and 
the empty clause would not be derivable by UP. The reason for this is that the 
substitution [f{d)/x] in (1) is reducible (by (3)), whereas the substitution [d/x] 
in (2) is not. 

An UP ^ ^ ^ ^ ^ ^ is a finite or infinite sequence of sets of closures 

of literals where each set £i is obtained from £i-i by either adding a 

conclusion of an UP-inference with premises from £i-i or by removing an UP- 
redundant w.r.t. £i-i closure. Let us denote by £°° the set of , > 

that is, the lower limit of the sequence £i. An UP-saturation process {£i}/di is 
called UP, if for every UP-inference with premises in the conclusion is 
redundant w.r.t. £i for some i. 

Lemma 2. , , , , UP {A}~i , - 

£i = £°° \ 7^up(/:“) = £'°° \ 7^up(>C'°°) ^ 

This lemma allows us to introduce for every set of literal closures £ its unique 
UP-saturation where = £°° \ TZtjy>{£°°), for some UP-fair saturation 
process. 

5 Completeness for Saturated Sets of Clauses 

In this section we prove that if a set of clauses S is saturated enough, then either 
it can be shown to be unsatisfiable by a ground solver, i.e., S'T is unsatisfiable, 
or otherwise S is first-order satisfiable. In the later sections we show how to 
achieve saturated sets. 

First we introduce the notion of Inst-redundancy which will be used to ex- 
tract relevant closures form clause sets, and also to measure progress in the 
instantiation process. For this we extend the order >- gr from ground clauses to 
ground closures as follows. We say that C ■ t >-/i D ■ p ii either Ct >-gr Dp or 
Ct = Dp and C9 = Z? for a proper instantiator 9. It is straightforward to see 
that is a well-founded order, so we define )^ci to be any total well-founded 
extension of 

Let S' be a set of clauses and C a ground closure. C is called Inst . ^ ^ in 

S if there exist closures Ci, . . . , that are ground instances of S such that, (i) 
for each i, C )^ci Ci, and (ii) Ci, . . . , Cj, |= C. A clause C (possibly non-ground) 



See www.cs.man.ac.uk/~korovink for the proof, omitted due to the lack of space. 
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is called Inst-redundant in S if each ground closure C • cr is Inst-redundant in S. 
We denote the set of Inst-redundant closures in S as 7^inst(>5')- 

Consider a set of clauses S, a model Ij_ of S'_L. A ^ , , , - , , , based 

on I± is a function mapping clauses to literals such that for each C G S, sel(C') S 
C and sel(C')_L is true in I±. Let us consider a selection function sel based on I. 
Define a set of S , instances of literals Cs as the set of all literal closures 
L ■ a such that 

1. L\/C eS, 

2. {Ly C) ■ a is not Inst-redundant in S, 

3. L = sel(LVC'). 

Let denote the UP-saturation of Cs- We say that the set of clauses S is 
Inst ^ - w.r.t. a selection function sel, if does not contain the empty 

clause. The following auxiliary lemma about UP is obvious. 

Lemma 3. R , ^ ^ - UP , , ^ {I :^r) -a, 

L[l'] - a' ,,>111 ' P - •> ^ 

, P , >,, - ■> 

Now we are ready to prove our main completeness theorem. Let us remark 
that in the proof we will use both orderings and In fact, the model 
construction will be done in >~i, but the counterexample reduction in >~ci- 

Theorem 1. , ^ ^ , > > , , , , • , - , , , • > ■ , 

S , 



, Let S be an Inst-saturated set of clauses, such that SI. is satisfiable in 
a model I±, and sel is a selection function based on I±. Let Cs be S'-relevant 
instances of literals. We have that does not contain the empty clause. 

By induction on we construct a candidate model to S based on 
Suppose, as an induction hypothesis, that sets of literals cm have been defined 
for the ground closures M e smaller than L in and let II denote the 
set Let Rl denote the ground rewrite system obtained by orienting 

all positive equations in w.r.t. >~i. Suppose that L = L' ■ a. Then define 
Cl = {L'a}, if 

1. L'cr is irreducible by i?L, and 

2. L'a is undefined in Is (i.e. neither Is H LV nor Is\= L a). 

In this case we say that L is ^ . . Otherwise, we define cl = 0. Define 

Is to be the set Ul 6£'>“‘ and Rs = Ul6£ sat Rl- It is easy to see that Is is 
consistent and Rs is a convergent interreduced rewrite system and every La G Is 
is irreducible by Rs- Let I be an arbitrary total consistent extension of Is- Now 
we show that / is a model to all ground instances of S- Assume otherwise. 

Let D = D' ■ a he the minimal w.r.t. )^ci ground instance of S that is false 
in I- Let us show that for every variable x in D' , xa is irreducible by Rs- 
Otherwise, let {I r)r G Rl and xa = xa[lT]p for some variable x in DP Then, 
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we can define a substitution a' by changing ct on a; with xa' = xa[rT]p. We have 
that I ^ D'a' and D >ci D' ■ a', which contradicts to the minimality of the 
counterexample . 

Now we note that D is not Inst-redundant in S. Otherwise it would follow 
from smaller, w.r.t. >cU closures Di,...,Dn. Hence, one of Di is false in I 
contradicting to the minimality of the counterexample. 

Since D is not Inst-redundant, we have that for some literal L, D' = LV D” 
and L ■ a € Cs- And also La is false in I. 

Assume that L ■ a is UP-redundant in Then, since cr is irreducible by 
Rs we have 

Rs U . r,{{R ■ a' G -a^iR- a'}) h La. 

Therefore, there is L'-a G . false in I, (if L-a is not UP-redundant 

in we take L' ■ a = L ■ a). Let M • r be the minimal w.r.t. closure in 

- which is false in I. Let us show that M • r is irreducible by Rs- 

Otherwise, assume that M ■ t is reducible by I ^ r G Rr and (/' ^ r') ■ p G 
is the closure producing ? ^ r in Rr. Since r is irreducible by Rr, UP-inference 
is applicable to {I' r') ■ p and M[l''] ■ t with the conclusion M\r']9 ■ p, where 

V p = V't = l"0p and 0 = , r {I' , I"). We have that M[r']9 ■ p is false in I. Now 
we show that M[r']9 ■ p is not UP-redundant in Assume otherwise. From 
Lemma 3 follows that p is irreducible by Rr. From definition of UP-redundancy, 
we have 

Rr U . r,{{M' ■ t' G CT\M[r']9 -p>iM'- r'}) h M[r']9p. 

Therefore, there is M' ■ t' G - such that M ■ t >~i M[r']9 ■ p >~i 

M' ■ t' and M't' false in I. This contradicts to the minimality of M • r. But, 
if M[r']9 ■ p is not UP-redundant we have M[r']9 ■ p G £ 5 “*, and since p is 
irreducible by Rr, M[r']9 ■ p G . we again obtain a contradiction 

to the minimality of M • r. We conclude that M ■ t is irreducible by Rr. 

Now we have that M • t is in irreducible by Rr, and not productive. 

Therefore Im-t H Afr. Consider all possible cases. Let M • t be an equation 
(s ~t)-T. We have that Im-t \= {s ^ t)r. Since, all literals in Im-t and sr, tr are 
irreducible by Rm-t, and Rm-t is a convergent rewrite system we have (s 9 ^ t)r G 
Im-t- Therefore (s 9 ^ t)r is produced to Im-t by some (s' 9 ^ t') ■ r'. But this is 
impossible since (s' 9 ^ t')r' (s ~ t)r = Mr, and hence (s' 9 ^ t') -t' >~i M -t. 
Now assume that M • r is a disequation (s 9 ^ t) • r. We have Im-t h (s — ^)''' 
and since sr and tr are irreducible by Rm-t we have sr = tr. But then equality 
resolution is applicable to M • r, contradicting that does not contain the 
empty clause. 

Finally we conclude that I is an model for S. 

6 Effective Saturation Strategies 

In this section we shall investigate how saturation of a set of clauses can be 
achieved effectively. First we show how saturation is done on closures and later 
we show how saturation process can be lifted to general clauses. 
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An Inst ^ ^ ^ ^ , , is ^ sequence of triples {(S'*, ser)}“^, where 

S* is a set of clauses, I]_ a model of S*A and sel* a selection function based on 
that model. Given {S^ , I]_,se\^), a^ ^ (S*+i, sel*''"^) is obtained 

by one of these steps: (i) S*+i = S* U iV, where A^ is a set of clauses such that 
S* 1= N; or (ii) S*+^ = S* \ {C}, where C is Inst-redundant in S*. If S^+^A 
is unsatisfiable, the process terminates with the result “unsatisfiable” . Let us 
denote by S°° the set of persisting clauses, that is, the lower limit of 
In order to ensure that we always reach an Inst-saturated set in the limit of the 
saturation process we need the notion of Inst-fair saturation. 

Consider a finite set of closures K = {{Li V Ci) • ct, . . . , (L„ V C„) • cr} of 
clauses from S°° . We denote £ = {Li ■ a, . . . ,Ln ■ a}. The pair {K, £) is called 
a II, I I ^ if contains the empty clause and for infinitely many i 
we have seV'{Lj V Cj) = Lj for 1 < j < n. 

We call an Inst-saturation process Inst , if for every persistent conflict 
(K,£), at least one of the closures in K is Inst-redundant in Si for some i. 

Now our goal is to show that for the limit S°° of an Inst-fair saturation 
process, such that is satisfiable, we can build a model I± and a selection 

function sel, based on I± such that S°° is Inst-saturated w.r.t. sel. The main 
problem here is that when we use selection functions based on truth in proposi- 
tional models, these models change when we add more instances. Note that it is 
possible that the limit S°° of an Inst-fair saturation process is not Inst-saturated 
for some model I± of S'°°A, likewise it is possible that I]_ U I]_ is inconsistent 
for every i j (so, for example, we can not take union of I]_ for I±). 



Lemma 4. S°° 

,, |(^*,/l,ser)}“i, 

, - I - I . 

sel 



Inst , 






II. 



sel 



JA 



S°° Inst 



^ ^ , Let {Ci}fSi be an enumeration of clauses in S°°. For each n we construct 
a model J" of {CjA}*^" and a selection function sel" based on J", by induction 
on n. For each n the following invariants will be satisfied. 

1. J" is consistent and sel" is a selection function for clauses based on 

J". 

2. J"“^ C J" and sel" coincides with sel"“^ on clauses 

3. There are infinitely many k such that J" C and for all 1 < I < n, 
sel'*(G) =sei:}(G0. 

If n = 1 then we have that there exists L G C\ such that L G sel^ for infinitely 
many k. We take = {L£} and selj(Gi) = |L}. Trivially, all invariants (1-3) 
are satisfied. 

Let n > 1 and assume that we have a model J" and sel" for |GiA}(^" such 
that invariants (1-3) are satisfied. Since Cn+i G S°° we have that for some 
m and every p > m, Cn+i G S^. From this and invariant (3) follows that for 
some L G Cn+i there are infinitely many k such that J" C and sel^(G;) = 
sel"(Gi) for all 1 < / < n, and sel^(G„+i) = L. Define = J" U {LI.} and 
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sel"'''^(C'i) = selj(C/) for 1 < ? < n, sel"'''^(C'„+i) = L. It is easy to see that all 
invariants (1-3) are satisfied for J”+^,sel"^^. 

We define /j_ = Ji and sel(Cj) = selj(Ci) for i > 1. From compactness 
follows that I_L is consistent, and sel is a selection function based on I±. 

Now we need to show that S°° is saturated w.r.t. sel. Assume otherwise. 
Then, there is a finite subset £ of £s , such that contains the empty 
clause. Let K = {{Li V Ci) ■ a,. . . , {L^ V C„) • a} be the set of closures of 
clauses from 5*°°, producing £ to £s ■ Then, from the construction of Ij_ and 
in particular from the invariant (3) follows that there are infinitely many i such 
that sel*(Lj V Cj) = Lj for 1 < j < n. Hence, (K,£) is a persistent conflict. 
Since the saturation process is Inst-fair we have that at least one of the closures 
in K is Inst-redundant in £5 . But this is impossible since all closures in £ are 
S'^-relevant and can not be produced by Inst-redundant closures. 



Corollary 1. 


{(^b/l,seP)}“, 


Inst , 




0 


i i ■ i i 


. , S'*! 


. " / Si 


, , 0 












\ ' L S* 


Inst ^ 


In the next sections we consider 


the issue of how 


to ensure that an Inst- 



saturation process is Inst-fair. 



7 Relevant Instances from Proofs 

In order to obtain an Inst-fair saturation we need to make closures in persistent 
conflicts Inst-redundant. A uniform way to make a closure C-cr of a clause C G S, 
Inst-redundant in S, is to add to S' a proper (possible nonground) instance of C, 
which generalises Ca. Next we will study how to find instantiations which are 
relevant to the persisting conflicts. 

Let us consider a persistent conflict (AT, £), where K = {(LiVCi)-ct, . . . , (L„V 
C'„)-cr} and £ = {Li-cr, . . . , L„-cr}. Since contains the empty clause we have 
that there is a proof of the empty clause in UP from closures in £. Our next goal 
is to show that in any proof at least one inference is a proper UP-inference. To 
speak more formally about the proofs we assume that proofs are represented as 
binary trees with nodes labelled by closures together with substitutions from the 
corresponding inferences. We assume that at each node of a proof, left subproof 
is variable disjoint from the right subproof. 

I , , A proof of the empty clause in UP from literal closures. 

fix) ~ g{x) ■ [h{a)/x] f{y) ~ h{y) ■ [h{a)/y] 

gjx) cs hjx) ■ [h{a)/x] ^ ^ gjhju)) hjhju)) ■ [a/u] . . . , , 

h{h{u)) 9^ hihiu)) ■ [a/u] ^ 



□ 
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Let us consider a proof P and a leaf of this proof with a closure L ■ u. Let 
6i, . . . ,0n be substitutions along the branch from this leaf to the root of the 
proof. We call the composition 0 = 6*i • • • as a P , and the 

closure L6 ■ t as a P , of L ■ a, where L0t = La. If we consider 

the left most leaf of the proof in the example above, then the P-relevant instance 
will be (f{h{u)) ~ g{h{u))) ■ [a/u] with the P-relevant instantiator [h{u)/x\. 

Lemma 5. P , , , , , . , P , 

P‘ ‘ . _L , , , ' , 

Corollary 2. {K, C) . , , , , , ^ ^ , / ; ' / ' 

UP, , > / ,.‘P > 

For a persistent conflict (PT, £), this corollary allows us to make closures in 
K Inst-redundant by adding their P-relevant proper instances. Let us continue 
with Example 3. Assume that literal closures at the leafs of P are in C for 
a persistent conflict (K,£), so £ = {{f{x) ~ g{x)) ■ [h{a) /x], . . and, e.g., 
K = {(/(x) ~ g{x) V h{g{x)) ~ c) • [h{a)/x ], . . .}, then we can add a P-relevant 
proper instance f{h{u)) ~ g{h{u)) V h{g{h{u))) ~ c to the clause set, making 
the first closure in K Inst-redundant. Thus, to make an Inst-saturation process 
Inst-fair we need to UP-saturate literal closures from the persisting conflicts and 
add proper instantiations of clauses with substitutions that can be obtained from 
the proofs of the empty clause. 



8 Prom Literal Closures to Literal Clauses 



So far we have been considering closures as the basic entities for persistent con- 
flicts and the UP calculus. Of course, working with each ground closure sepa- 
rately is of little practical use. This motivates our next step of lifting UP calculus 
from literal closures to literals. 

Unit paramodulation for literals (UPL) 



jl^r) L[l'] 
L[r]0 



(e) 



where (i) 0 = , , {1,1'); (ii) I' is not a vari- 

able; (iii) la >-gr ra for some grounding sub- 
stitution a; 



s 

□ 



(m) 



g=. , {s,t); 



Proofs in UPL can be represented in the same way as proofs in UP (see Sec- 
tion 7). And in the same way we can define notions of a P-relevant instantiator 
and a P-relevant instance. 

By a simple lifting argument we can prove the following lemma, connecting 
UPL with UP calculus. 



Lemma 6. 

UP.' £ 



u 



£ 



P 



UPL 
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^ L-a &L, P , , , , , L ^ L9 

6 ^ , III I I - ~ 'I II’ ' I I - I • I I I ’’’ 

This lemma implies that an Inst-saturation process {(5'*, /]_, sel*)}“]^ is Inst- 
fair if the following holds. Consider a finite set K = {{Lx V Ci), . . . , (T„ V C„)} 
of clauses from S°° , such that for infinitely many i we have sel*(ij V Cj) = Lj for 
1 < j < Let P be an UPL proof of the empty clause from {Li , . . . , T„} and 
LiO be a proper P-relevant instance. Then, for some step j, all ground closures 
{Li V Ci) ■ 9(7 are Inst-redundant in SL 

We can observe that since 0 is a proper instantiator, to make all closures 
{Li V Ci) ■ 9(7 Inst-redundant, we can just add {Li V Ci)9 to the clause set. 



9 Representation of Closnres via Dismatching Constraints 

We have seen that in the process of obtaining a saturated set we make certain 
closures Inst-redundant by proper instantiations. It might be desirable to discard 
these redundant closures when we consider UPL calculus. In this section we show 
how it can be done with the help of dismatching constraints, defined below. We 
remark that in the context of resolution and paramodulation various kinds of 
constraints have been considered (see e.g. [14, 10, 6]). 

A , , . , , is a formula . (s, t), where s, t are two vari- 

able disjoint tuples of terms, with the following semantics. A solution to a con- 
straint (s, f) is a substitution a such that for every substitution 7, 57 yf ta, 
(here = is the syntactic equality). It is easy to see that a constraint (s, t) 
is satisfiable if and only if for all substitutions 7, sj yf t. In other words, a 
dismatching constraint . ^ (s, ^ is not satisfiable if and only if there is a sub- 
stitution /i such that s/i = t, which is a familiar matching problem. We will 
use conjunctions of simple dismatching constraints, called just . ^ , , ' , , 

I , , 5 ^^=1- , {si,U), where Si is variable disjoint from all ij, and Sk, for i ^ k. 
Let us note that there is a polynomial time algorithm for testing satisfiability 
of the dismatching constraints. To check whether a constraint {si,U) is 

(un)satisfiable, we just need to solve n matching problems. 

A ^ ^ ^ ^ ^ C I [ I? ] is a clause C together with a dismatching 

constraint D. We will assume that in a constrained clause C \ [ {si,ti) ], 

the clause C is variable disjoint from all Sj, 1 < i < n. A ^ ^ ^ ^ ^ 

C \ [D] represents the set of all ground closures C ■ a, denoted as, ,{C\ [ ]), 

such that cr is a solution to D. For a set S of constrained clauses, , , {S) denotes 
the set of all ground closures represented by constrained clauses from S. 

Now if we consider a set of clauses S such that C £ S and C9 £ S for some 
proper instantiator 9, then we can discard all Inst-redundant ground closures 
C ■ 9a, by adding a dismatching constraint to C, obtaining C | [ .^ {x9,x) ]. 
In the general case, when a constrained clause C \ [ I? ] is in S' and we add 
C9 to S for some proper instantiator 9, then we can discard all Inst-redundant 
ground closures C ■ 9a, by extending the dismatching constraint D, obtaining 
C I [ D A - ^ {x9,x) ]. We can always assume that all variables in x9 are disjoint 
from variables in C and D. 
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The notion of Inst-redundancy can be adapted from clauses to constrained 
clauses, by saying that a constrained clause C \ [ II ] is Inst-redundant if all 
closures in^ ,{C\ [ D ]) are Inst-redundant. 

Let S' be a set of constrained clauses, then ^ (S) denotes the set of all 

unconstrained clauses obtained from S by dropping all constraints. We say that 
a set of constrained clauses S is , , , ; - ^ ('^) \ ^inst(, , (S)) = 

, >i , i^)) \ "^instC , ( , ('S')))- Thus, constraints in well-constrained sets of 

clauses is just a tool of discarding Inst-redundant closures. 

Next we can replace, UPL calculus with the calculus on constrained literals. 

Unit paramodulation with dismatching constraints (UPD) 



{l^r)\[D,] m\[D,] 

L[r]9 I [ (Ui A D2)9 ] 



id) 



s9^t\[D] 

□ 



(m) 



where (i) 6 * = , , {1,1')', (ii) I' is not a vari- where (i) ^ = , , (s,t); (ii) 

able; (iii) for some grounding substitution cr, is satisfiable. 

satisfying {Di A D2)9, la >-gr ra', 



Naturally we can define the notion of UPD-redundancy, saying that a con- 
strained literal L \ [ D ] G is UPD . . in if all closures in 

^ , {L \ [ D ]) are UP-redundant in , , ( ). And in the same way as for UP 

we can define UPD-saturation process and 

Now in the place of S'-relevant literal closures £5 we define the set of S- 
relevant constrained literals 5 as the set of all constrained literals L \ [ D ] 
such that 

1. {LVC)\[D]gS, 

2. {LV C) \ [ D ] is not Inst-redundant in S, 

3. L = sel(LVC'). 

We say that the set of constrained clauses is Inst-saturated if 5 “* does not 
contain the empty clause. 

The following lemma can be proved by a simple lifting argument. 

Lemma 7. ^ , ' , , ; , - > >, • > >{ , , 

up; ' ' \ V ( , , upd; ‘ 



From Lemma 7 a lifted version of Theorem 1 from Section 5 follows. 
Theorem 2 . ,, ^ , S Inst . (>5')-L 

(s) . i ‘ ‘ ‘ 
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Abstract. In this paper we present goal-directed deduction methods for 
Lukasiewicz infinite- valued logic L, giving logic programming style algo- 
rithms which both have a logical interpretation and provide a suitable 
basis for implementation. We begin by considering a basic version with 
connections to calculi for other logics, then make refinements to obtain 
greater efficiency and termination properties, and to deal with further 
connectives and truth constants. We finish by considering applications 
of these algorithms to fuzzy logic programming. 

Keywords: Lukasiewicz Logics, Fuzzy Logics, Goal-Directed Methods. 



1 Introduction 

Lukasiewicz logics were introduced by Jan Lukasiewicz in the 1920s [9], and are 
currently studied intensively in connection with several areas of research. Firstly, 
in fuzzy logic where the infinite- valued Lukasiewicz logic L, along with Godel 
logic G and Product logic 11, emerges as one of the fundamental “t-norm based” 
fuzzy logics [7]. Also in algebra, where Ghang’s MV-algebras for L have applica- 
tions to many fields of mathematics, see e.g. [3], and in geometry where formulae 
of L are related to particular geometric functions via McNaughton’s representa- 
tion theorem [10]. Finally, various semantic interpretations of Lukasiewicz logics 
have been given, most importantly using Ulam’s game with errors/lies which has 
applications to adaptive error-correcting codes [15]. 

From the automated reasoning perspective, a variety of proof methods have 
been advanced for L. These fall into three main categories: 

1. . ^ > > > '■ sequent and hypersequent calculi are provided by the 

authors in [12], and a many-placed sequent calculus (via a reduction to finite- 
valued logics) is given by Aguzzoli and Giabattoni in [1]. 

2. . , I ^ ^ ^ : both Hahnle [6] and Olivetti [17] have given tableaux for 

L that are co-NP via reductions to mixed integer programming problems. 

3. , , - : Wagner [21] (using hyperplanes), and Mundici and 

Olivetti [16] have given resolution calculi for L. 

We note also that connectives from L have been used as the basis for fuzzy 
logic programming methods, see e.g. [19,8,20]. 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 85—99, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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In this work our aim is to make use of the theoretical insights provided by 
the Gentzen-style calculi of [12] to give proof calculi for both L and an impor- 
tant extension of L with constants called ^ ^ ^ , RPL (see e.g. 

[7]), that are not only geared towards automated reasoning, but also have intu- 
itive logical and algorithmic interpretations. For this purpose we develop , ^ ^ 

^ ^ , a generalization of the logic programming style of deduction 
particularly suitable for proof search, which decompose goal formulae accord- 
ing to their structure and database formulae according to the goals, thereby 
eliminating much non-determinism and avoiding decomposing irrelevant formu- 
lae. Goal-directed systems have been given for a wide range of logics including 
classical, intuitionistic, intermediate, modal, substructural and many- valued log- 
ics [13,4,5, 11], and have been used as the basis for various non-classical logic 
programming languages, see e.g. [18]. 

We proceed as follows. We begin in Sections 2 and 3 by introducing L and the 
goal-directed methodology respectively. In Section 4 we then give a basic goal- 
directed algorithm for L, pointing out similarities with calculi for other logics. 
In Section 5 we turn our attention to improving efficiency, giving a variety of 
terminating and non-terminating versions, and to showing how other connectives 
and truth constants for RPL may be treated. Finally in Section 6 we explore 
applications of these algorithms to fuzzy logic programming in L. 



2 Lukasiewicz Logic 



Lukasiewicz logic L is defined 

Definition 1 (L). L . 


as follows: 








(LI) 


*1 

{B- 


.A) 


0 ■ , 
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(L2) (A- 


>B)~ 


-{{B 


-C')- 


>(A- 


>C)) 


(L3) ((A- 


-B) 


^B) 


-((S- 


-.A)- 


-.A) 


(L4) ((A- 




* i 

/ A 


-®))- 

7->\ 


-.{B- 


-.A) 

7-> A ^ / A T-»\ 



=de/ ± Aq B =def ~^{A — > ^B) A A B =de/ Aq {A ^ B) 
T =def ^-L A(B B =def ^A ^ B Ay B =^ef {A^ B) —f B 



Appropriate algebras for L were introduced by Ghang in [2]. 



Definition 2 (MV-Algebra). 



MV- algebra ^ 



{mvl) _L 0 a = a 

{mv3) {a(Bb) (B c= a(B {b(B c) 

{mv5) a 0 -10 = -lA 



{mv2) a (B b = b (B a 
(mvA) = a 
(mv6) 0 6 ) 0 6 



A= (A, 0,^,0) 

0 , . 



^{^b 0 a) 0 a 



5), ay b =def ^(' 



b =def ^ 006 , aQb =def 
■^a A ^ 6 ), T =def “'0 



^(^ 00 ^ 6 ), aAb =def a©(c 




Goal-Directed Methods for Lukasiewicz Logic 



87 



valuation , A , v . , . , . , L 

•I III / ' ‘I ^ I ^ A ,, , , , , 

V A, u(A) = T, ^ ^ ‘ j= a‘ A ^ , 

^ ^ I logical consequence ^ ^ F ^ A 

. ‘ii V., A, v(B) = T b‘ e ‘r, ,, , v(A)=T,\^‘ 

rV ^ , I I - ^ I >>“>' ■ I 

The usual standard MV-algebra for L is based on the real unit interval [0, 1]; 
however it will be more convenient in this paper for us to consider a “knocked 
down” version based instead on the real interval [—1,0]. 

Definitions ([— l,0]j^). X (B y = min{0,x + y + 1) ^ _ ^x = —l — x, ^ _ 

. , [- 1 , 0 ] =([- 1 , 0 ],©,-,-!) 

We now state Chang’s algebraic completeness theorem (slightly revised) for L. 

Theorem 1 (Chang [2]). ,, , , () A ^ , 

[- 1 , 0 ] ' 



We also mention a deduction theorem for L, writing A" for Aq ■■■ Q A. 
Theorem 2. F, A \= B F \= T” ^ B ^ ^ , n > 0 
Complexity issues have been settled for L by Mundici in [14]. 

Theorem 3 (Mundici [14]). , ' i ■ -i ^ i i i ■ > 



3 Goal-Directed Methods 

In this paper we adopt the following “logic programming style” goal-directed 
paradigm of deduction. For a given logic denote hy F A the query “does A 
follow from T?” where T is a database (collection) of formulae and A is a goal 
formula. The deduction is , ^ . .in the sense that the next step in a proof 

is determined by the form of the current goal: a complex goal is decomposed until 
its atomic constituents are reached, an atomic goal q is matched (if possible) with 
the “head” of a formula G ^ g in the database, and its “body” G asked in turn. 
This can be viewed as a sort of resolution step, or generalized Modus Tollens. 

This model of deduction can be refined in several ways: (1) by putting con- 
straints/labels on database formulae, restricting those available to match an 
atomic goal, (2) by adding more control to ensure termination, either by loop- 
checking or by “diminishing resources” i.e. removing formulae “used” to match 
an atomic goal, (3) by re-asking goals previously occurring in the deduction using 
, ^ . Note however that for applications such as deductive databases and 
logic programming, a terminating proof procedure is not always essential. We 
might want to get a proof of the goal from the database quickly if one exists, but 
be willing to have no answer otherwise (and preempt termination externally). 
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Goal-directed procedures have been proposed for a variety of logics, in some 
cases as refinements of sequent calculi called “Uniform proof systems” , see e.g. 
[13]. Here we illustrate the goal-directed methodology by presenting a diminish- 
ing resources with bounded restart algorithm given in [4] for the implicational 
fragment of intuitionistic logic, henceforth adopting the convention of writing 
{Al, . . -,An} ^ q for Al ^ {A 2 ^ . {A„ ^ q ) . . .). 

Definition 4 (GDLJ^). , , T A- G;H F ^ , 

- , , ' r 

H*{q) , q , - - , ij; 

(success) r\-q;H^ ,q€F 



(implication) 
(reduction) 
(bounded restart) 



F\~- n ^q;H ^ , F, U h' q; H 

F,n ^q^- q;H ^ , F A; H * (q) „ AgH 

F\-'^ q;H ^ ^ Fh"^ p;H *(q) , ^ q ^ H 



I , , Consider the following proof, observing that (bounded restart) is 

needed at (2) to compensate for the removal of p ^ <7 at (1): 





!"■ l(p^ q) ^p,p^ q] 


q; 0 (implication) 


(p^ q) ^p,p- 


-q^lq;^ (1) 


(reduction) 


(p^q)- 


p h- p; (q) 


(reduction) 




h- p ^ g; (q,p) 


(implication) 




p q; (q,p) (2) 


(bounded restart) 




ph-p; (q,p,q) 


(success) 



Moreover a goal-directed calculus for the implicational fragment of , ^ ^ 

, r is obtained by simply liberalising the (bounded restart) rule to allow 
restarts from ^ , previous goal [4]. Also by modifying the history to allow states 
of the database to be recorded we can give goal-directed calculi for . - , , r 

[ 11 ], 



4 A Basic Goal-Directed System 

In this section our aim will be to define a basic goal-directed system for L 
based on a language with connectives ^ and _L, recalling that other standard 
connectives are definable from this pair. We start by defining, ^ ^ 

for L, similar to those given for intuitionistic and classical logic above, which 
consist of a database together with a multiset of goals, and a history of previous 
states of the database with goals. 

Definitions (Goal-Directed Query), goal-directed query GDL ( 

; 

Q = F h ■ Z\; H 

— F ^ y, - database 

~ Z\ ^ . y , - goals 
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- H ( , , , - . , 

, {(A I- I"- ^«)}, - history 

Q ^ atomic ^ ^ Q ^ ^ ^ ,, 

‘ ! >' ; ■ ' / II ; ; ' ; i i • ^ 

A query may be understood intuitively as asking if either the goals “follow 
from” the database or there is an alternative state in the history such that the 
goals there follow from the appropriate database. Formally we determine the 
validity of queries using the model [— 1, 0 ]l follows: 

Definition 6 (Validity). Q = Ai; {(A h’ A 2 ); . . . ; (A h’ Z\„)} ^ valid 
L ^ \=* Q, . I I I ‘I 0] ■ i, 1 < t < n 

Equivalently we can interpret a query Q as a formula of . , - A, 

the logic of lattice ordered abelian groups, and identify the validity of Q with 
the validity of this formula in A. Details are provided in [12]; here we simply 
emphasize that for formulae our interpretation agrees with the usual one for L. 

Lemma 1 . |=* A; 0 |= A 

It is easy to see that a query is valid if every goal A matches with an oc- 
currence of either A or _L in the database. We express this using the following 
relation: 

Definition 7 (C*). ( ) A C* F , ACF ( j A U {A} C* T U {_L} , A C* F 
We now give our first goal-directed calculus for L. 

Definition 8 (GDL). GDL ^ ^ 

{success) F'r - A-,H ^ , A C* F 

{implication) ^ , F \-^ FI ^ q, A; FI ^ ^ F A;H ^ . F, II \-^ q, A; H 

{I reduction) ^ , F, II ^ q \~- q, A; H ^ ^ F h' II, A; H U {{F q, A)} 

{r reduction) F h' <7, A; iJ U {(A, iT — > g h’ A')} ^ 

r, q h? n, A'; H U {(A A'), {F h'-' q, A)} 

(n reduction) ^ , F, II ^ F A; H ^ ^ F, A A, A; A U {(F A)} 

{mingle) F h’ < 7 , A; A U |(F', q h’ A')} ^ ^ 

F,F' h? A, A'; A U {(A, q A'), (F h? q, A)} 

{restart) F hM; A U {(F' A A')} , , A A A'; A U {(FA A)} 

Note that the {implication) rule means that a query with an implicational 
goal n q steps to two further queries: one where this goal is removed, and 
one where A is added to the database and II ^ q is replaced by (7 as a goal. We 
can also define a version where II q is the only goal in which case only one 
premise is needed, i.e.: 
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{implication') From F \-' U ^ q; H step to F, FI q; FI 

Note also that for convenience of presentation we have split the reduction 
process into three “reduction rules”: - , , {l-reduction) and , ^ 

{r-r eduction) which treat the cases where a goal matches the head of 
a formula in the database and in the database of a state in the history respec- 
tively, and , - {n-reduction) which decomposes a formula in the 

database with head _L. Finally, observe that (mingle) combines two states in 
the case where one has a goal occurring in the database of the other, and that 
(restart) allows the computation to switch to a state recorded in the history. 

GDL is easily adapted to provide goal-directed calculi for other logics. For 
example a calculus for , , , , is obtained by changing all mention in 

Definition 5 of multisets to sets, and replacing the restart rule with: 

(restart') From T h’ Z\; U {(F' h’ A')} step to F' , F h' A'; U {(F h’ Z\)} 



I , , We illustrate GDL with a proof of the axiom (L4), using (1) and 

(2) to mark separate branches: 

h’ [(p ^ q) — > (7, <7 — > p] ^ p; 0 (implication') 

(p ^ q) ^ q,q ^ p\-^ p;^ (l-reduction) 

(p ^ (7) — > (7 h’ q; {((p ^ q) ^ q\-^ p)} (l-reduction) 

h’ p ^ g; {(h-^ q),((p ^ q) ^ <7 p)} (implication') 

p h’ q; {(h’ q), ((p ^ g) ^ g h’ p)} (r-reduction) 

g h’ p,p ^ g; {(h^ g), (p g)} (implication) 

(1) gb- p;{(h' g),(ph' g)} ^ (mingle) 

q b- g; {(b- g), (p h- g), (g h' p)} (success) 

(2) g,ph- p,g;{(h- g),(ph- g),(gh- p)} (success) 



We now show that GDL is ^ ^ ^ . with respect to the interpretation of queries 
given in Definition 6. 

Theorem 4 (Soundness of GDL). . Q, , , GDL ^ \=* Q 

^ ^ , We proceed by induction on the height of a derivation in GDL showing 
that each rule preserves validity. For example for (implication), given a valuation 
V for [—1, 0]j^ we can ignore the history i/ as it is repeated in both premise and 
conclusion, and we have ’^v(F) < '^v(A) and '^v(F) -\- '^v(FI) < 

^v(Z\). If ^v(FI) < v(q) then v(II ^ g) = 0 and we use the first premise, 
otherwise v(II — > g) = v(q) — ^ v(II) and we use the second. □ 

To prove ^ , , , , , distinguish two functions of GDL: (1) to decom- 

pose complex formulae using rules that take us from valid queries to valid queries, 
and (2) to determine the validity of atomic hypersequents. We show that (1) 
allows us to reduce the derivability of a hypersequent to the derivability of hy- 
persequents containing only atoms and irrelevant (in the sense that they do not 
affect the validity of the hypersequent) formulae, and that (2) allows us to prove 
all valid atomic hypersequents. We begin with the former. 
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Definition 9 (Complete). , ^ complete , ^ , , , > i i , i 

Lemma 2. {implication), , ^ ^ > , ■ , - {’’f^start) ^ , 

If we apply the {implication) and reduction rules exhaustively to a query 
using {restart) to move between different states of the history, then we end up 
with queries where the states are atomic goals that fails to match the head of a 
non-atomic formula in the database of ^ ^ state. We call such queries . . , . 

Definition 10 (Irreducible). A Zli; {(C 2 A 2 ), . . . , (A Z\„)} , irre- 

ducible 

A , , , i = 1, . . . ,n 

A = AUA., i=l,...,n A , ,, 

Head{ni U . . . U 77„) n (Z\i U . . . U Z\„ U {_L}) = 0 

Head{[Ai, . . . , An] ^ q) = q , - Head{F) = {Head{A) | A S C} 
Lemma 3. ^ ^ Q ^ ,, > , , - GDL ^ ^ ^ _ 



If an irreducible query is valid then by removing non-atomic formulae we 
obtain an atomic query that is also valid. 

Lemma 4. , , , ' , ; , , , , 

h* A, A h- /ii; {(A, A h- A 2 ), (A, 7T„ A z\„)} 

Fi , - Aj, ^ % — 1,...,7Z 

Head{ni U . . . U 77„) n (Z\i U . . . U Z\„ U {_L}) = 0 

, K A Ai; {(A A 2 ), . . . , (A An)} 

^ ^ , Assume A Ap, {(A h' A 2 ), ■ ■ ■ , {Fn b’ A„)}. We get that there 
is a valuation v for [— l,0]j^ such that X)^(A) > ior i = 1, ... ,n. We 

define v' as follows: 

s _ f 0 if <7 G Head{IIi U . . . U Fin) 

\ v{q) otherwise 

Since Flead{F[iU. . .UiI„)n(AiU. . .UA„) = 0 we have that ^ v'{Ai) = Y} v{Ai) 
for z = l,...,n. We also have get that ^ and Y"^'{^i) — X)'*^(A) 

for i = 1, . . . , n. Hence Y ^^(A) + Y ^^(A) > Y for z = 1, . . . , n and 

A, A I-' Z\i;{(A, A !-■ A 2 ),...,(A,A b- A„)}, a contradiction. □ 

The next step is to show that all valid irreducible queries succeed in GDL. 
Lemma 5. ^ ^ ^ ^ GDL 

^ ^ , Let Q = A b^ Ai; {A b’ A 2 , . . . ,Fn b' A„} be atomic. If \=-^ Q then 
the set A > I 1 < * < is inconsistent over [—1,0], and hence there 
exists Ai , . . . , A„ G N such that Az > 0 for some 1 < z < rz and: 
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u C* IJ 

i=l i=l 

We show that Q succeeds in GDL by induction on A = A*. If A = 1 

then Q succeeds by an application of (restart) if necessary and (success). For 
A > 1 we have two cases. First suppose that for some i ^ j, 1 < i,j < n, we have 
Ai, Xj > 0 and there exists q € Ai D Fj. Since we can always apply (restart) to 
change the state of the database, we can assume without loss of generality that 
i = 1 and j = 2. Now by applying (mingle) we obtain a query: 

Q' = A, T 2 - {q} h- Z\i - {g}, Z\ 2 ; {A h' Z\i, . . . , A h' Z\„} 

If Al > A 2 then we have: 

n n 

(Al— A2 )/\iUA2(2\i — {g}UZ\2)u(^ XiAi C* (Ai— A2)AUA2(AUA— {9})u[J 

i—3 i=3 

Moreover (Ai — A2) + A2 + X)r =3 ^ Eind hence by the induction hypothesis 

Q' succeeds in GDL so we are done. The case where A 2 > Ai is very similar. 

Alternatively if for all q £ Ai for i = 1, ... ,n where A^ > 0 there is no j such 
that Xj > 0 and q G Fj, then in at least one state there must be more occurrences 
of _L than goals, so the query succeeds by (restart) and (success). □ 

LemmaG. , A /ii;{(A ^ 2 ),...,(A h? , GDL , 

A,^riHMi;{(A,il2^-M2),...,(A,^rn^M„)}, , GDL 

We are now able to conclude that GDL is complete. 

Theorem 5 (Gompleteness of GDL). . \=* Q , Q , , GDL 

^ ^ , We apply the complete rules to Q terminating with valid irreducible 
queries by Lemmas 2 and 3. The atomic part of these queries must be valid by 
Lemma 4, and hence succeed by Lemma 5, but then by Lemma 6, the whole of 
each query succeeds. □ 

5 Refinements 

In this section we make a number of refinements to GDL; in particular we use 
the introduction of new propositional variables to give more efficient reduction 
rules, we give revised (mingle) and (success) rules to obtain terminating calculi, 
and finally we treat connectives other than — > and T, and truth constants. 

5.1 More Efficient Reduction 

One significant problem for the efficiency of GDL is that the reduction rules 
place multiple copies of the database in the history, meaning that each for- 
mula may be reduced an exponential number of times. For example notice that 
in Example 2 the formula (p — *■ g) ^ g occurs (3 lines down) twice: once in 
the database and once again in the history. The solution we propose here is to 
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introduce ^ ^ ^ ^ ^ ^ ^ which ensure that formulae are not dupli- 

cated, and may be thought of as keeping track of different options in the history. 

Definition 11 (GDLg). - , , > > , GDLe , ' , ^ < 

GDL ,, / 2x, , ,, ‘ {x,x}) 

{a reduction) ^ , F, S S, A; H ^ ^ F A; H 

{I reduction) ^ , F, II ^ q' q, A; H q' € {q, _L} ^ ^ 

q' \-' F[,2x; F[ U {{F,2x \-' q, A)} x ^ ^ 

{r reduction) ^ . F \-^ q, A; FI LI {F' , U ^ q \~^ A'} ^ 

q h- 77, 2x] 77 U {(7"', 2cc h' A'), {F h’ q, Z\)} a; , , 

Note that for GDLg we have given an alternative breakdown of the reduc- 
tion process. In particular goals matching atoms in the database are removed by 
(a-reduction) while {l-reduction) takes care of the cases where a goal matches 
the head of a formula in the database or the head is _L. In both {l-reduction) and 
(r-reduction) the formula reduced is replaced by two copies of a new proposi- 
tional variable x, which act as a marker allowing the formula to be decomposed 
independently from the database. 

I , , We illustrate GDLe with the following proof: 







h- [(p ^ q) ^ r,(q ^ p) ^ r] ^ r;(d 


(implication) 


{p- 


-q)~ 


-4 r. 




(9 


~^P) - 


r I-- r; 0 


(l-reduction) 






r \-^ p ^ q, 2x] {(2x, (q ^ p) ^ r h’ r)} 


(implication) 




(1) 


r I-- 2a;, {(2a;, (q ^ p) ^ r r)} 


(mingle) 


r,x, (q 


~^P) - 


r I-- a;, r, |(r h’ 2a;), (2x, (g ^ p) — > r h’ r)} 


(success) 




(2) 


r,p h- q, 2x] {(2a;, (g ^ p) ^ r h ■ r)} 


(restart) 


2x, (q 


~^P) - 


r h- r; {(r,p h’ q,2x)} 


(l-reduction) 






r h- (7 ^ p, 2y; {(r,p h' q, 2x), (2x, 2y h’ r)} 


(implication) 




(2.1) 


r h- 2y, {(r,p h' q, 2x), (2x, 2y h' r)} 


(mingle) 



2x, r, y r, y; {(r,p q, 2x), {2x, 2y h’ r), (r h’ 2y)} (success) 

(2.2) r,q\-'^ p,2y;{{r,p\-'^ q,2x),{2x,2y\-'^ r)} (mingle) 

2r,gh- q, 2x,2?/;{(r,pl-J q,2x),(2x,2y h' r), 

(r,q\-'^ p,2y)} (mingle) 

2r, q, X, 2y h’ q, x, 2y, r; {(r,p h’ q, 2x), (2x, 2y h' r), 

(r,q\~- p, 2y) , (2r, q h ■ q, 2x, 2y) } (success) 

Theorem 6. Q ^ ^ GDLe |=* Q 

^ ^ , Soundness and completeness for GDLe proved in exactly the same 
manner as the corresponding results for GDL, the main issue being to check 
that the new reduction rules are both sound and complete. As an example we 
check the soundness of (l-reduction) assuming as before that FI = %. Suppose 
that we have a valuation v for [—1, 0]j^. If ^ v(Fl) < v(q) then u(77 ^ q) = Q and 
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extending v with v{x) = 0 we get from the premise that v{r) = v{r) + 2v{x) < 
v{q)+v{A) as required. If ^ v{U) > v{q) then suppose that v{r)+v{II — > g) = 
v{r) +v{q) > v{q)+v{A). This means that u(T') — ^ u(iT) + e > v{A) 

for some e < 0. We now define: 

, »(g) - Evim + . 

noting that dividing by two ensures that 0 < v{x) < —1, which gives that 
v{q) > ^ v{n) + 2v{x) and v{r) + 2v{x) > v{A), a contradiction. □ 

5.2 Terminating Calculi 

There are several options for developing terminating calculi for L. Perhaps the 
simplest approach is to feed irreducible queries to a linear programming problem 
solver, which with the improved efficiency reduction rules of the previous section 
gives a co-NP algorithm. Alternatively if we want to maintain a,^ , , interpre- 

tation to each step we can adapt the (mingle) rule, giving terminating strategies 
with either queries of an exponential size or involving non-deterministic choices. 

A goal-directed calculus using linear programming is as follows, noting that 
the (success) rule transforms a query into a set of equations over [—1, 0]; validity 
of the query being implied by the inconsistency of this set: 

Definition 12 (GDLip). GDLip ^ ^ ^ ^ ^ ^ , (implication), ^ ^ ^ . 

(restart) , , , . GDLg , . , ' , / / ^ 

(success) A h- Ai; {T 2 [-■ Z\ 2 , ... ,r„ I-- . 

{J2atom(r^) >J2o-tom(Ai)}i<i<n ,,,,,, , , [-1.0] 

atom(r) = {q \ q G r, q ^ , } 

Theorem 7. )=* Q Q ^ ^ ^ GDLip 

Theorem 8. GDLip ^ ^ 

^ ^ , To show that a query with length I fails in GDLip, we apply (implication) 
and the reduction rules exhaustively using (restart) to move between different 
states in the history, choosing a branch non-determistically. It is easy to see 
that applying each rule takes polynomial time in I, and that since each of the 
rules except (restart) strictly reduces the complexity of the query, the length 
of the branch is polynomial in 1. Moreover both the number of propositional 
variables, and the number of different states are polynomial in I, so since linear 
programming is polynomial, checking (success) is also polynomial in 1. Hence 
derivability in GDLip is co-NP. □ 

Note that GDLip is also easily adapted to cope with ^ . Lukasiewicz 

logics, since we can just change the (success) rule to check for inconsistency over 
the set [— 1, — ((Ey , ■ • • 5 — EA’ n- valued logic L„. 

We get “logical methods” for solving linear programming problems by chang- 
ing the (mingle) rule of GDLg to allow matching of multiple occurrences of 
atoms, the idea being to obtain a terminating procedure by removing all occur- 
rences of one particular propositional variable at a time. We give two versions: 
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Definition 13 (GDLi). GDEj, i = 1,2 , , , , GDLe 

' (mingle) ^ . (minglci) 

(minglei) F Xq^ A-, H {(F' , g,q\-^ A')} ^ ^ 

HF, XF' h- g,A, XF'; H U {(F' , g,q h- A'), (F h’ Xq, Z\)} 

(mingle 2 ) ,, F Xq^ A-, FI \J {(F' , g,q\-^ A')} ^ ^ 

fiF, XF' h- g,A, XF'; H U {(F h’ Xq, Z\)} 
fiF, XF' h- fiA, XF'; H U {(F' , g,q h' A'} 

Note that GDLJ keeps all previous states of the database in the history, 
giving an exponential blow-up in the size of the query. GDL^ on the other hand 
keeps the size of queries linear but requires non-deterministic choices. 

I , , We illustrate GDL^ with a proof of an atomic query: 

2p h- 3g, r; {(q, r h' p), (2q h’ p)} (mingle 2 ) 

2p, 3r h’ r, ip; {(2q h’ p), (2p h’ 3p, r)} (a-r eduction) 

2r h’ p; {(2q h' p), (2p h’ 3g, r)} (switch) 

2p h’ 3q, r; {(2q h’ p), (2r p)} (minglc 2 ) 

4p h’ 2r, 3p; {(2q I-- p), (2r h' p)} (a-reduction) 
p h’ 2r; {(2g h’ p), (2r h’ p)} (mingle 2 ) 

2p h’ 2p; {(2g h’ p), (2r h' p)} (success) 

Theorem 9. Q, , GDL[ \=* Q i = l,2 

Theorem 10. GDL}. , ^ ^ ^ ''.,*=1)2 

^ ^ , We sketch suitable control strategies. The first step is to reduce formulae 
in the query to obtain irreducible queries. Since the reduction rules all reduce the 
complexity of the query it is sufficient here to ensure that (switch) is not applied 
ad infinitum e.g. using a split history to show which states have already been 
considered. For the second step we require that (a-reduction) is applied eagerly 
i.e. whenever possible, and that (minglci) is applied with the maximum matching 
propositional variables i.e. we add the condition q ^ F U F' U AU A'. Moreover 
we must insist that (minglci) is applied exhaustively to just one propositional 
variable at a time, using (switch) to move between states. □ 

5.3 Rules for Other Connectives 

Although the standard connectives of L are all definable in a language with just 
the connectives — > and _L, this treatment is often unsatisfactory for two rea- 
sons. First, the definitions may multiply the size of formulae exponentially e.g. 
Ay B =def (A ^ i?) — > B, and second, it may introduce occurrences of _L which 
are not very good for proof search e.g. A A B =def ((A ^ _L) V (B ^ _L)) ^ _L. 
We therefore illustrate here one possible approach to dealing with other well 
known connectives of L in an efficient fashion. We begin by defining normal 
forms for goal and database formulae in a language with connectives ©, A, 
V and _L, where every formula A in this language is equivalent to both a goal- 
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formula and a strong conjunction of database formulae, with complexity linear 
in the complexity of A. 

Definition 14 (Normal Forms). Goal- formulae G ^ _ database- formulae D 

G = q\A\G\JG\GhG\D^G H = q\A\H \J H D = H\G ^ D 

Lemma 7. A , r G , - - , . , , 

/ ‘ G dL ' ,, ' ,, 

,1 ' , . ^ = G= Di © . . . © B= C v{B) = v{G) 

; 0] ' . 

We now provide a goal-directed calculus for L using these normal forms. 

Definition 15 (GDLf). GDLf ^ ^ ^ ^ ^ , , ^ (success), (a reduction) , 

(mingle) ^ . (restart) ^ , GDLg , . 

(implication) B \-' II ^ G, A; H ^ ^ B A; H ^ , B,nh^G,A;H 

(or) ^ , Bh- A V B, A; H ^ 

B,yh- x,A;HU{(xh- y,A),(xh- y,B)} x ^,y 

(and) ,, Bh- AAB,A;H ^ ^ B h' A, A; H ^ , B h' B, A; H 

(I reduction) ^ , B,II ^ (A\J q') h’ q, A;H q' G {q, ©} ^ ^ 

B,n ^ AV-'^ q, A- H , . 

g' h- iJ,2x;i7 U {(F,2a; h- g,Z\)} a; , 

(r reduction) ^ , T g, Z\; U {B' , II ^ (Ay q) Z\'} ^ 

F h- g, Z\; il U {(F' , 77 ^ A h' A')} , . 
q h- 77, 2a;; 77 U {(F', 2x h' Z\'), (F h- q, Z\)} x , , 

Theorem 11. Q ^ ^ ^ GDLf Q 

5.4 Adding Truth Constants 

All the algorithms we have given so far have dealt with proving ^ ^ of L 

i.e. formulae which always take the value 0 in the model [—1, 0]j^. However, from 
the point of view of fuzzy logic, it is natural to ask for proofs of partially true 
conclusions from partially true premises. The key fact here is that in L for any 
valuation v for [— l,0]j^ if for a formula A, u(A) = r, then for any formula B, 
v(B) > r iff v(A ^ B) = 0. Hence by adding a truth constant r to our language 
i.e. a constant where v(r) = r for all valuations v for [— l,0]j^, we can express 
that a formula has value greater than or less than r. Now it is possible here to 
add constants for any and indeed all real numbers between —1 and 0; however 
it is more usual (see e.g. [7]) to consider just the rational numbers (giving a 
countable language) thereby getting ^ ^ ^ . RPL. 

Obtaining a calculus for RPL is straightforward, the key step being to rede- 
fine the relation in the (success) rule to deal with extra constants. 
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Definition 16 (C^). A F ( ) F = FiU {oi, . . . , a„} ( ) A = A1UA2U 

{bi, ■ • • , bm} ( ) Ai C Fi ( ) \A2\ + bi 

The only other change we need to make is to allow reduction of database 
formulae with any truth constant as a head. In the general case this is bad for 
proof search since it means that all such formulae can be reduced no matter 
what the goal; however for fuzzy reasoning it is often sufficient to have constants 
only in the body of database formulae. 

Definition 17 (GDLc). GDLc ' GDLg , , 

- - ‘a‘c* 2 F , ^ ‘ ‘ q' e{q,F}\ 

{I reduction) ^ r - ^ . q' = q ^ q' = a ^ ^ ^ ^ ^ ^ a 

Theorem 12 . Q ^ . ^ ^ GDLc \=* Q 

6 Application to Fuzzy Logic Programming 

In this section we show that our algorithms can be used as the basis for fuzzy 
logic programming applications, illustrating the potential of our approach by 
considering an example for L taken from [8]. In this case a database consists 
of a number of fuzzy statements (Horn clauses) such as “students are young” 
with associated lower bounds for truth values, and queries involve deriving lower 
bounds for (non-implicational ) , , , of such databases like “Mary 

is young”. Observe however that although the statements are first order, the 
use of a restricted function-free language means that for a finite domain we 
can translate such statements into formulae of propositional logic by taking the 
lattice conjunction of all possible instances.^ Moreover whereas in [8] truth values 
representing lower bounds are treated as separated entities, here following the 
previous section, we can represent “H has truth value greater than equal to a” 
by the formulae a ^ A. Below we list the statements considered in [8] translated 
into a set of propositional formulae of L for each individual i in the domain (e.g. 
yngi has the meaning “i is young”), noting that in [8] the disjunctive clause s3 
is written as two separate clauses. 





> , ^ 


' 1 1 1 


si 


Students are young. 


[~j:,sdnti] yngi 


s2 


Young people are single. 


[-i,yngi] -> sngi 


s3 


Students who have children 
are married or cohabitants. 


[sdnti,pnti] {mrdi V chbU) 


s4 


Cohabitants are young. 




-i^,chbti] yngi 


s5 


Single, married and cohabitant 
are mutually exclusive. 




sngi, mrdi] -L, [sngi, chbti] -L, 

mrdi, chbti] -L 



We now want to derive , > , , , , , from such a database. By the 

deduction theorem for L (Theorem 2) we can simply allow as many occurrences 



^ We leave finding a more efficient approach using unification for future work. 
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of a formula as we want in the database and use (for example) the algorithm 
GDLc to prove the desired consequence. This approach is obviously not termi- 
nating but although the refinements required to obtain a terminating algorithm 
for logical consequence are not overly difficult, we again leave this task for future 
work. In [8] a number of queries are considered, all of which can be treated in 
our approach. For example, to find a lower bound for the truth value of “Lea 
is single” given that “Lea is a student” we can prove c ^ sngi from si, s2 and 
sdnti as follows (where c is a to-be-determined truth constant). 



si, s2, sdnti b 
si, s2, sdnti, c h 
sngi h 
yng^ h 
2a;, 2y, c, yng^ h 
2a;, 2y, c, yng^ h 



c ^ sngi', 0 
sngi',tt) 

~^,yngi, 2x; {(si, 2a;, sdnti, c b’ sngi)} 

sdnti, 2y; {{sngi b - 2x), {2y, 2x, sdnU, c b’ sngi)} 

-^,2y,sngi', {{sng^ b’ -\,yngi,2x), {2y,2x,sdnti,c\~‘^ sngi)} 
-h‘^y^-lyyngi,‘2x;{{sngi b' ~l,yngi,2x) 

{2y,2x, sdnti, c\-' sngi)} 



We observe that the computation succeeds at the second line iff c = — 1 
and at the last iff c < — giving that c ^ sngi is derivable from the given 

database for all c < — |. In general we have to consider all possible proofs to 
obtain the greatest lower bound. We note further that unlike the algorithms 
presented in [8] we can also cope either with embedded implications e.g. “very 
young people are single” could be represented as ^ yngi] sngi, or 

clauses with disjunctive bodies e.g. “students and young people are single” could 
be represented as {sdnti V yngi) sngi. Hence our algorithms provide the basis 
for a far more expressive approach to fuzzy logic programming in L. 



7 Concluding Remarks 

In this paper we have presented a basic goal-directed calculus for Lukasiewicz 
logic L with a purely logical intepretation, subsequently refined to obtain more 
efficient and terminating reduction methods, and extensions to Rational Pavelka 
Logic RPL. These calculi are a significant improvement on other automated rea- 
soning methods for L proposed in the literature. Unlike the tableaux calculi of 
[6, 17], and the resolution calculi of [21, 16], each step in our calculi has an intu- 
itive logical interpretation. Moreover the goal-directed methodology both gives 
an algorithmic reading of the logic, and ensures that, rather than decomposing 
all formulae (as in the cited approaches), only formulae relevant to the current 
proof are treated. We note also that as for the mentioned tableaux calculi we 
obtain a co-NP decision procedure for L using linear programming. Finally, a 
promising direction for applications of these calculi is as the basis for fuzzy logic 
programming algorithms. Using our techniques we are able not only to derive 
lower bounds for logical consequences in L from Horn clauses with lower bounds, 
as in [8, 20], (see also the ’’quantitative” variant of Prolog introduced by Van Em- 
den, and developed by Subrahmanian in [19]), but also to deal with the full range 
of propositional formulae of L, giving a far more expressive logic programming 
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language. We intend to investigate issues regarding the implementation of such 
a language in future work. 
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Abstract. We re-express our theorem on the strong- normalisation of 
display calculi as a theorem about the well-foundedness of a certain or- 
dering on hrst-order terms, thereby allowing us to prove the termination 
of systems of rewrite rules. We first show how to use our theorem to prove 
the well-foundedness of the lexicographic ordering, the multiset ordering 
and the recursive path ordering. Next, we give examples of systems of 
rewrite rules which cannot be handled by these methods but which can 
be handled by ours. Finally, we show that our method can also prove the 
termination of the Knuth-Bendix ordering and of dependency pairs. 

Keywords: rewriting, termination, well-founded ordering, recursive path 
ordering 



1 Introduction 

The traditional method for proving the termination of a rewriting systems uses 
well-founded orderings [7]. The traditional method for proving strong-normal- 
isation of A-calculi is to use structural induction on lambda terms and their types, 
backed by auxiliary well-founded inductions. Recently, structural induction on 
derivations have been used to prove cut-elimination [12] and to prove strong- 
normalisation of the generalised sequent framework of display calculi [3] . 

We re-express our theorem on the strong-normalisation of display calculi as 
a theorem about the well-foundedness of a certain ordering on first-order terms, 
thereby allowing us to prove the termination of systems of rewrite rules. We then 
show how to use our theorem to prove the well-foundedness of the lexicographic 
ordering, the multiset ordering and the recursive path ordering. Next, we give 
examples of systems of rewrite rules which cannot be handled by these methods 
but which can be handled by ours. Finally, we show that our method can also 
prove the termination of the Knuth-Bendix ordering and of dependency pairs. 

The results in this paper have been machine-checked using the logical frame- 
work Isabelle, see http : / /web . rsise . anu . edu . au/~ j eremy/isabelle/snabs/ 
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, _ ^ Important methods for proving termination of rewrite systems 

often use simplification orderings. These include the recursive path orderings 
([7], [11]) and the Knuth-Bendix ordering. In §3.7 and §3.8 we use our theorem 
to prove the well-foundedness of these orderings. 

These orderings have been generalised by Ferreira & Zantema [9] , Dershowitz 
& Hoot [6] and Borralleras, Ferreira & Rubio [2]. Their theorems, like ours, 
are not limited to simplification orderings, but they prove the well-foundedness 
of larger relations which satisfy the subterm property, so if they were closed 
under context (rewrite relations), they would also be simplification orderings. 
Jean Goubault-Larrecq [10] has proved results which are more general in that 
they replace the notion of subterm with an arbitrary well-founded relation. He 
also generalises methods for dealing with the A-calculus, where the notion of 
substitution creates difficulties for techniques such as ours. 

Arts & Giesl [1] describe a method of proving termination using “depen- 
dency pairs”. They give key theorems and extensive development of resulting 
techniques. Their method does not require a simplification ordering or the sub- 
term property. In §3.9 we use our theorem to prove one of their key theorems. 

1.1 Notation and Terminology 

Assume that we have fixed some syntax for defining “terms” like r, s and t. We 
deliberately leave this notion vague for now. 

For an irreflexive binary relation p on terms, we will write (r, t) G p, (r, t) G 
<p, r <p t or t >p r interchangeably. Relations will be assumed irreflexive unless 
the contrary is stated, but are not assumed transitive even when written <p. We 
say r is ^ , , ■ < , , ' > or is S > , (with respect to p) if there is no infinite 

descending sequence r = tq >p r\ >p T 2 >p ... of terms, and p is 
(or ^ I ) every r G . . We write <p, <p and <* for the reflexive 

closure, the transitive closure and the reflexive transitive closure, respectively, 
of <p. We write a o p for the relational composition of relations cr and p, in the 
sense that (r, s) G cr o p if there exists t such that (r, t) G p and {t, s) G cr. 

Often (see our examples) such a relation is described by giving a finite set 
of “rewrite rules” h —>■ r*, where U and rt are terms containing (meta-)variables 
for which terms may be substituted. 

When a relation is defined by a set of rewrite rules, it is also usually taken 
that it is ^ ^ ^ ^ , ie, that where C[-] is a context (a term with a 

“hole”), and I rewrites to r, then C[l] rewrites to C[r], Often such a relation is 
called a . ^ ^ , such as the “/3-reduction” of the lambda calculus. 

The setting of our main theorem is that we are given a binary relation p 
which may or may not consist of the substitution instances of a finite set of 
rewrite rules, and which is not necessarily closed under context. Then we define 
I p to be the closure under context of p and prove that i p is well-founded. 
When p consists of the substitution instances of a finite set of rewrite rules the 
well-foundedness of i p proves that the associated rewrite system , ^ 

To formalise “closure under context”, we must specify a language of terms. 
This is a first-order language, with a fixed set of function symbols, or term 
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constructors, of fixed or variable (finite) arity, whose arguments and results are 
terms. This language may or may not contain term variables. The meta-language 
used to express rewrite rules and to discuss rewrites . ^ ^ contain term variables. 

Given a term like t = f{a,b,g{c,d)), its , , . subterms are a,b and 

g{c,d), its ^ subterms are these and c and d, and its subterms are these 
and also t itself. We write s for a sequence of terms si, ... ,Sm, such that these 
are the immediate subterms of /(s). We define the “closure of p under context”, 
I p: for example, if (c',c) G p, then (/(a, 5 (c')), /(a, 5 (c))) G r p. 

Definition 1 (Closure Under Context). ^ ^ ^ 

to ^ - h, G i p ( . . to - , , ti ) , (a) 

(ti,to) G P, , (b) to , - ti . , , r , ^ ^ _ 

We also define, inductively, the set . of strongly normalising terms. This 
definition is equivalent, at least in classical logic, to that given in §1.1. 

Definition 2 (Strongly Normalising). ^ ^ ' 

■ , , j ■ " I j j - ■ j j ' ' ■ ; to - , 

, , ' , ^0 G ■ -t >>i i ' ^0 ; , , . - - ; ^0 G . 

It is to be understood that concepts such as “strongly normalising”, “re- 
duction”, etc, relate to i p, which is, itself, closed under context. It follows 
therefore that if t G . then all subterms of t are in , 

2 A Proof of Termination 

We now re-express our theorem about strong-normalisation for display calculi 
from [3] to make it applicable to term rewriting. 

2.1 Various Well-Founded Orderings 

To prove that i p is well-founded, we use a binary relation <dt on terms, 
and show that it is well-founded. The relation <dt depends on a relation <c«t, 
which we have the freedom to define. The relation <cut must be well-founded, 
and invariably it is a superset of p. It will normally, but not necessarily, depend 
on the parts of the terms at or near its head (ie the roots of the corresponding 
abstract syntax trees). 



Definition 3 ( <sni, 


^sn2f i P t ~ ^cut - J 




. ' ' 


j , ^snl, ‘^sn2 ^ - ^dt 




( ) ti <snl to . to 


tl ^ . ' i i i ' ■ ■ - 






II 1 1 1 1 - 1 - 1 ' 


' 1 ' 


( ) t\ <sn2 to . to , - 


tl , . ' 11^ 


■ 1 ' 1 


, - - 


1 1 1 1 - 1 ' 1 1 ■ ■ i ' 




( ) ti <dt to 


^1 ^cut ^0 1 '^snl ^0 
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Note that t\ <sni to implies ti <sn 2 to, and our main theorem uses only 
<s„i. However <sn 2 is sometimes easier to work with because it is closed under 
context. We also define an auxiliary function, , for “from well-founded” which 
maps a binary relation p to a binary relation, , p as below: 

Definition 4. . ^ , , , P (f, t) G ,, p (r, t) G p 

Clearly, , p is well-founded, regardless of whether p is. We then prove 

Theorem 1. > , , , <sni , <sn 2 . 

Despite the notation, these relations need not be transitive. Intuitively, t\ <dt 
to means that ti is closer to being “normalised” (in some sense) than is to. 

Recall that we require <cut to be well-founded. We also need <dt to be 
well-founded. Given that <cut and are well-founded, to prove that <dt is 
well-founded, we need one of a number of sufficient conditions on the interaction 
between <cut and <s„i. 

Lemma 1. , t . cr , / ; , , , , ^ 

■t i'll- ; I I I I I ‘I tU a ^ 

( ) T o a C a* OT, 

( ) T o <7 C GOT*, 

() T o a C rUcr, 

(/) T o a c (cr o (t U cr)*) U T 

Of these, the last is from Doornbos & von Karger [8], and is implied by each 
of the others, which are in earlier results discussed and cited in [8]. 

Clearly <sniQ<sn 2 , so to prove that <dt is well-founded it is enough to prove 
that <cut U <sn 2 is well-founded. Sometimes it is easier to prove one of the above 
conditions for <sn 2 than for <sni- 

2.2 Strong Normalisation Induced from Immediate Subterms 

We next define the set . , for “inductively strongly normalising” , as the set of 

terms that are in . if their immediate subterms are in . . Clearly, . C , . 

Definition 5 (ISN). , t G . , ,, , , - ^ ■ , , ' ^ 

I 

The next lemma follows from this definition. We use only the part. 

Lemma 2. , t G . , ^ ^ ' 

^ ^ , =^: Assume t G . and let m be a subterm of t, where t = C[u]. Consider 

any infinite sequence u = uq,ui,... of reductions starting with u. Since the 
reduction relation is closed under context, t = C[uq], ... is also an infinite 

sequence of reductions, contradicting t G . . Therefore u G . and so u G . 
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4=: By induction on the structure of term t — assume that the result holds 
for each immediate subterm t' of t. Assume that every subterm of t, including t 
itself, is in , . Therefore each immediate subterm t' of t has the property that 

every subterm of t' is in . , and so, by the inductive hypothesis, t' G . .As 

each t' G . , and t G . , so t G . . □ 

2.3 Properties We Require of p 

Finally, given a rewrite system, our result requires that the relation p satisfy 
certain properties. The most general version of these is 

Condition 1. ^ >> & p, . , , . ■ , , ■ ^ , ' , ■ 

>> . . , T ^ 

()r'G, , 

C)r' 

In practice we use a simpler condition which implies Condition 1, such as 
Condition 2. ,, (r, 1) G p, , ,, , r' , r, 

( )r\ , , ■ ■ , , ■ ■ - . 

,, I 

(■ ) '^ ^cut ^ 

^ ' - ,,,■ I , , ■ . 

For if we assume that all proper subterms of I are in , as required in the 
precondition of Condition 1, then Condition 2(a) implies that r' G . , and 2(c) 

implies that r' <sni h which implies that r' 1. 

Note that sometimes, as in Example 3.3, we , , the relation p to satisfy 
Conditions 1 and 2. 

2.4 Strong-Normalisation 

Lemma 3. . p , . , , to 

t' to , ■ , to G . 

^ ^ , Given to, assume that p satisfies Condition 1 and that 

(a) : all terms t' such that t' to are in . 

We need to show to G . , so we assume that 

(b) : all immediate subterms of to are in . , 

and we show that to G . 

To show that to G . , we show that every term t\ that can be obtained from 

to by a single reduction is in , . We consider the two possible cases: whether 

the reduction occurs in a proper subterm of to, or is a reduction of to as a whole. 
Firstly, consider a reduction in a proper subterm of to'- that is, (ti,to) G 
I p\p- Then the reduction is in an immediate (strongly normalising) subterm 
of to- So ti <sni to and hence ti <dt to by Definition 3(c). Therefore ti G . by 
assumption (a). Now each immediate subterm of ti is equal to, or is a reduction 
of, an immediate subterm of to, which itself is in . by assumption (b). All 
immediate subterms of t\ are therefore in . . Therefore, as ti G . , ti G . 
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Secondly, consider a reduction of the whole term to: that is, (ti,to) € P- 
Thus we get the new term t\ whose subterms are either in . because of Con- 
dition 1(a) or are subterms which are <)Jj-smaller than to, by Condition 1(b). 
That is, every subterm tf of t\ (including ti itself) satisfies one of the following: 
(c):t?G. (d):t^<;)ito 

Then tf G . , in case (c) because . C , , and in case (d) by assumption 

(a). Since tf is an arbitrary subterm of ti, Lemma 2 implies that ti G . 

In either case ti G > . Since ti was obtained via an arbitrary reduction from 

to, it follows that to ■ Thus we have to & ~ ■ □ 

Theorem 2. , p ^ ^ , , , , - , , , - ^dt , , 



^ ^ , As <dt and hence are well-founded, it follows from Lemma 3 by well- 
founded induction that every term is in , ; now use Lemma 2. □ 

We now have a way of proving termination of a suitable rewrite system. Given 
the relation p, normally the rewrite rules and their substitutional instances, we 
define a well-founded relation <cut such that, when <s„i and <dt are defined 
as in Definition 3, the resulting <dt is well-founded and Condition 1 is satisfied. 
This is enough to show the well-foundedness of i p. In the following section 
we show some examples using this procedure. 



3 Examples Using the Theorem 

As explained above, the crux is to find an appropriate definition of <cut- 

3.1 Multiset Order 

Given an irreflexive relation p on a set E, we can define the , , . derived 

from p on multisets of elements of E. We use A, B and C for finite multisets 
of elements of E, by which we mean both that they contain only finitely many 
distinct elements and that they contain only finitely many copies of each such 
element. We use AUB to stand for the multiset union. We consider the irreflexive 
relation <mi defined on finite multisets: 

<mi- VC, V& G E. if, for all c & C, c <pb, then CU A <mi {b} U A 

If p is a strict order (an irreflexive, transitive relation), then <^i is equal to 
the multiset order derived from p. 

We represent a multiset as a tree, with two sorts of node, “inner” nodes (/) 
and “leaf” nodes (L). Viewing such a tree as a term, the function symbols are I 
and, for each e G C, L(e), where I has arbitrary arity and each L(e) is nullary. 
The “leaf multiset” of a tree is the multiset of its leaf nodes, but with each L{e) 
changed to e. Note that different trees can have the same leaf multiset. 

We define a rewrite relation on such trees (terms) as follows. For every (finite) 
multiset C = [ci, C 2 , . . . , Cfc] and every element b G E such that for all Cj G C, 
Ci <p b (as in the definition of <mi) we have a rule 
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L{b) — > I{L{ci), L{c 2 ), . . . , L{ck)) 

Theorem 3. ,, _ _ p _ _ , ^ ( 

. . , J 

^ ^ , Clearly, whenever A <mi B, any tree whose leaf multiset is B can be 
reduced to a tree whose leaf multiset is A using the rewrite relation defined above. 
Since for a given finite multiset B there always is a tree whose corresponding 
multiset is B, when we show that rewriting terminates we have shown that the 
multiset order is well-founded. 

We prove that this rewrite system terminates. We define <cut by the rules 
L{x) >cut I{y) L{x) >cut L{y) iS X >p y 

It is clear that <cut is well-founded when p is. To show that <cut U <sni 
is well-founded, we use Lemma 1, by showing that in fact <s„i o <cut= 0- For 
suppose t >sni u >cut V. Then u must be of the form L{x), and a proper subterm 
of t must reduce to a proper subterm of u - but u has no proper subterms. 

To show that Condition 2 is satisfied, when L{b) — > I {L{ci) , . . . , L{ck)) , 
we have L{b) >cut I{L{c\), . . . ,L{ck)) by the first rule for <cut, and, for every 
subterm L{a) of the reduced subterm, L{b) >cut L{a) by the second rule. 

3.2 A Non Simplification Ordering 

Example 5 of [5] , with the single rule f{f{x)) — > f{g{f{x))) is one for which 

a simplification ordering cannot be used, because a simplification ordering would 
take g{f{x)) to f{x) and so f{g{f{x))) to /(/(x)), giving a cycle. 

But Theorem 2 is not limited to simplification orderings. We define <cut 
according to the number of consecutive / symbols starting from the head of 
a term. Alternatively, we could use the total number of pairs of adjacent / 
symbols, as suggested in [5]. Thus /(/(x)) >cut f{g{y)), /(/(x)) >cut g{y), and 
/(/(x)) >cut /(x). Finally, any subterm of x is a proper subterm of /(/(x)). 
Thus Condition 2 is satisfied. Clearly also, rewriting a subterm cannot increase 
the number of consecutive / symbols, so <s„i o <cut C <cut (and likewise 
<cut o <S «1 C <cut)- Thus <dt = <cut u <sni is well-founded by Lemma 1. 
Therefore the system terminates, by Theorem 2. 

3.3 A Recursive Path Ordering Example 

We now consider a typical example whose termination is shown by the recursive 
path ordering (see, for example, [6] or [7]). 

D{x + y) — > Dx + Dy (x x y) x z — > x x (y x z) 

D{x X y) — > X X Dy + Dx x y (x + y) + z — > x + (y + z) 

X X {y + z) — > X X y + X X z 

The recursive path ordering is a simplification ordering. To prove termination 
we must actually add the following simplification rules as rewrite rules: 

X + y — > X X + y — > y x x y — > x x x y — > y 
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Clearly, if additional rules R' are added to a rewrite system R, and the 
resulting system i?U i?' terminates, then the original system R terminates. 

We define <cut as below by first defining the relation </j, which depends on 
the head symbol, and then defining the relations <x and <+ which are for the 
rewrite rules capturing associativity: 

-D{x)>hV^z D{x)>hU + z xxy>hZ + w 

— if x' is an immediate subterm of x, then x + y >+ x' + z and x xy >x x' x z 
^cut— i^h C C ^ + ). 

We now prove that this rewrite system terminates. Clearly <cut is well- 
founded, since the immediate subterm relation is well-founded. 

To show that <cut U <s„i is well-founded, we in fact show that <cut U <sn 2 is 
well-founded, using Lemma 1(a). First we show that <cut ° <sn 2 C <*„2 ° <cut- 
For suppose t >cut u >sn 2 V- If t >h u then clearly t >h v. Suppose t >x u, 
say t = xxy,u = x'xz and x' is an immediate subterm of x. There are two 
cases for u >sn 2 v, namely that a strongly normalising subterm of either x' or 
z reduces to a corresponding subterm of v. Firstly, if z — > w, then we also 
have V = x' X w and t >cut v- Secondly, if x' — > w', then v = w' x z. As x' 
is a subterm of x, let w be the term obtained from x by rewriting its subterm 
x' to w' . Then t = x x y >sn 2 w x y: but note that this step of the argument 
would not hold for >sni- Then w' is an immediate subterm of w, so we have 
w X y >cut w' X z = V. That is, (w, t) G <sn 2 ° <cut- 

So, in each case, (v,t) G <sn 2 ° <cut, and so <cut U <sn 2 is well-founded, by 
Lemma 1(a). 

Finally, we need to consider all pairs where I r is a, rewrite rule 

and r' is a subterm of r. In many cases I >h r': for example D(x + y) 

Dx + Dy. In other cases, r' is a proper subterm of 1: for example whenever a 
(meta-)variable appears on the right-hand side of a rule, and r' is the term the 
variable stands for, or any subterm of it. In the case of the associative rewrite 
rule I = {x X y) X z — > r = x x {y x z), we have that ^ >x r, by definition; the 
rule for the associativity of -I- is similar. 

Finally, we have cases for (r', 1) such as (D{x), D{x + y)) or {y x z,{xxy)x z). 
Here, since a proper subterm I' of I is assumed to be strongly normalising, 
and x + y — > x (likewise x x y — > y) we have D{x + y) >sni D{x) and 
{xxy)x z >s„i y X z. 

Thus in all cases either r' is a proper subterm of I or (assuming proper 
subterms of I are in , ) I >41 R, so the system terminates by Theorem 2. 

3.4 Ackermann’s Function 

Ackermann’s function on the natural numbers can be defined by the following 
rewrite rules [5, Example 29] 

A{0,y)-^S{y) 

A(S'(x),0) — > A(x,S'(0)) 

A{S{x),S{y)) — > A{x,A{S{x),y)) 
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It can be shown to terminate using the lexicographic path ordering. This is 
reflected in the relation >cut we use, which is deflned by the following cases: 

A{x,y) >cut S{z) (1) 

A{S{x),y) >cut A{x,z) (2) 

>cut A{x,y) (3) 

We now prove that this rewrite system terminates. It is clear that >cut is 

well-founded using the lexicographic ordering on arguments. It is also clear that 
for each where I r is a, rewrite rule and r' is a subterm of r, either 

I >cut t' or r' is a proper subterm of 1. 

It remains to show that <cut U <sni is well-founded. Again we show that 
<cut U <sn 2 is well-founded, using Lemma 1(a). We show that <cut ° <sn 2 C 
<^2 ° <cut- For suppose t >cut u >sn 2 V. If t >cut u by rule (1), ie t = A{x,y) 
and u = S{z), then v = S{z') and so t >cut v- If t >cut u by rule (2), then 
t = A{S{x),y) and u = A{x,z). There are two cases for u >sn 2 v: v = A(x,z') 
where z — > z\ in which case t >cut v, or v = A(x',y) where x — > x' by 
reducing a strongly normalising subterm of x, in which case t = A{S{x),y) >sn 2 
A{S{x'),y) >cut A{x',z) = V. The case for rule (3) is similar. 

So in all cases (v,t) G <sn 2 ° <cut, and so <cut U <sn 2 is well-founded, by 
Lemma 1(a). Therefore the system terminates by Theorem 2. 

3.5 Insertion Sort 

This example [5, Example 32] is more difficult than the previous two, though 
the approach is similar. The rules are 

,, ( 0 ^, . 

,, ( , , , (a;, 2 /)) — > , , (a;,,, (y)) 

, , >) — ' , , , >) 

,, (a;, , , , (i^,w)) — > ,,, {x, ^ ^ ^ (v,w),x,v) 

, , , (a:, , , , {v,w),y,0) — > , , , (a;, , , , {v,w)) 

,,, (a;, , , , (^^,w),0,s(z)) — (x,w)) 

,,, (a;, , , , (u,w),s(2/),s(2:)) — > ,,, (a;, , , , (v, w), y, z) 

To define >cut, we start by defining an order >h, contained in >cut, which 
depends on the head symbol, using this (transitive) order on symbols: ^ ^ > 

We notice that the rules (considered as definitions) 
define ^ ^ and ^ ^ ^ in terms of each other, so we continue by defining 

(x,w)>cut ,,, (y,w,a,b) >cut , , {x,w') 

,,, {y,w,a,b) >cut ,,, {y',w,a',b') 

where >cut is transitive and w', a' are immediate subterms of w, a. It is easy to 
see that >cut is well-founded. As in §3.3, we add a simplification rule 

, , ,{x,y) — >y 
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Then, for every (r', 1) where / — > r is a rewrite rule and r' is a subterm of r, 
either I >cut I >sni or r' is a proper subterm of 1. 

Again we show that <cut ° <sn2 ^ <*„2 ° <c«i) using the same technique as 
in the previous two examples. Therefore the system terminates by Theorem 2. 

The ordering <cut is similar to that used in [5, Example 32], and [6]. 

3.6 The Factorial Example 

Example 21 of [5] is almost the usual definition of the factorial function, but 
modified so that we can not use a simplification ordering. The rules are 

P{S{x)) — > cc F(0) — > 0 

F{slx)) — > S'(cc) X F{P{S{x))) Oxy — > 0 

S{x) X y — > X X y + y cc + O — > x 

x + S{y) — > S'(x + i/) 

As usual we define a (transitive) ordering <h of terms based on the following 
ordering of head symbol: F > x > + > S. But we need to define <cut to be the 
union of <h and the following additional cases 

F{S{x)) >cut F{P{S{x))) F{S{x)) >,ut F{P{x)) 

We can not use a simplification ordering because if we allowed P{x) — > x 
the system would not terminate, but would “cycle” between terms containing 
F{S{x)) and terms containing F{P{S{x))). We do, however, need to add the 
rule S{x) — > X. The proofs of termination given in [5, Examples 21, 25] are 
based on interpreting arguments to the function symbols as natural numbers. 

Now for each (r', 1) where I r is a, rewrite rule and r' is a subterm of r, it 
is reasonably easy to see that we have one of the following cases: 

— r' is a proper subterm of I 

— r' <h I 

— r' is I, but with S removed from a subterm (to give r' <sni 1) 

— r' is F{P{S{x))) and I is F{S{x)) (so r' <c«t 1). 

It is easy to see that <cut is well-founded. To show that <cut U <sn 2 is well- 
founded we need to use a more general case of Lemma 1 than hitherto. In fact 
we show <cut ° <sn2 C (<*„2 ° <c«t)U <j)j 2 i which implies (d) of Lemma 1. 

Suppose t >cut u >sn2 V. If t >h u then clearly t >h v. Suppose t = F{S{x)) 
and u = F{P{S{x))) or u = F{P{x)). If u >sn 2 v by way of reducing the x in 
u to x' (reducing a strongly normalising subterm of x), then t = F{S{x)) >sn 2 
F{S{x')) >cut V- Otherwise we need to consider specific cases: 

— u = F{P{S{x))), S{x) — > X where S{x) G . , v = F{P{x)): then t >cut v 

— u = F{P{S{x))), P{S{x)) — > X where P{S{x)) G . , v = F{x)\ here, as 

S{x) — > X and S'(x) G . , we have t >sn2 v 

— u = F{P{x)), where x = S{y), P{S{y)) — > y and P{S{y)) G . , v = 

F{y): here, as S{y) — > y and S{y) € • , we have t = F{S{S{y)) >sn 2 

F{S{y)) >sn 2 F{y) = v. 

Thus <cut U <sn2 is well-founded and the system terminates by Theorem 2. 
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3.7 Recursive Path Orderings 

To show that our theorem is at least as general as the recursive path orderings 
we now derive their termination. 

Given a well-founded ordering <^j, we use the derived lexicographic ordering 
, I (7, which is restricted to fixed-length sequences, and so is well-founded. 

Given a well-founded ordering <p on function symbols, the lexicographic path 
ordering, ^ p, also written <ipo [7, Defn 4.22], is then defined as below (omitting 
reference to Ipo-equivalent terms, and where <iex is , ' C , P) 

Sj >ipo t f >p g Vi € {1, . . . ,n}. f{si , . . . , Sjn^ > ipo ti 

f . . . , 5j77,) > ipo t f ^ Ipo 5 ■ ■ ■ ; ^n) 

, . . . , Sjfi ) >lex Vz € {1, . . . , to}. f{si ^ Ipo 

f{si , . . . , S'lxi') ^ Ipo f (tl 1 ■ • ■ 1 fm) 

We note that the definition of the multiset path ordering, and the proof that 
it is well-founded, correspond closely to what follows. 

The following lemma is actually an easy consequence of the transitivity of 
>ipo, but that result is much more difficult to prove. 

Lemma 4. , s >ipo t , - , . . , . t , S >lpo t' 

^ ^ , It is enough to show that if s >ipo t = g{t \, . . . , tn) then s >ipo tj where 
j S n}. We show this by induction on the size (or structure) of s. If 

s >ipo t by the second or third rules, then it is immediate that s >ipo tj. If 
s = /(si , . . . , Sm) >ipo t by the first rule, then for some Si, either Si >ipo t and 
so Si >ipo tj by induction, or Si = t >ipo tj by the first rule, and then s >ipo tj 
by the first rule. □ 

Theorem 4. ^ >> -i , - - , - i ' , i ■ i u ■ 

^ ^ , We first define <cut using as the ordering of terms according to the 
head symbol and defining another relation <iwi as below: 

- f{s) >h g(i) iff / >p g 

- if ((f): (s)) G. ' C . C , r)), then f{t) <i„i /(s) 

^cut — i^h G 

The idea behind the definition is similar to the way the definition of <sni 
requires the <s„i-greater term to be strongly normalising. As , , (, ^ r) is 
well-founded, , i C . C , ^)) so <iwi are well-founded. Glearly also 

<h o <iwi Q <h, so <cut is well-founded, by Lemma 1. Further, <g„i 
so <cut U <s„i = <cut is well-founded. 

To show that the rewrite relation <ipo satisfies Gondition 1, suppose (r', 1) is 
given, where r <ipo I and r' is a subterm of r. Then, by Lemma 4, r' <ipo I- 

If I = f{si,...,Sm) >ipo p' by the first rule, then some Si >ipo r' . Now 
assuming that G . , we have r' G . 

Now suppose I >ipo r' by the second or third rules. Again, we are assuming 
that all proper subterms of I are strongly normalising, and then r' <cut I- G 
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It may be noted that using our theorem as above actually proves that i C , P) 
is well-founded — in fact, since, ^ p is closed under context this point is of no 
significance. The proof that the multiset path ordering <mpo [7, Defn 4.24] is 
well-founded is very similar. In the “status-based” recursive path ordering, lists 
of arguments to a function symbol are compared using the lexicographic, multiset 
or other derived ordering </!>(-), depending on the function symbol. This is well- 
founded also, by a similar proof. The necessary properties for such an ordering 
(/)(_) are the following: that (j){a) is well-founded if a is, and that if s' <cr Sj 
then (si, . . . , s', . . . , Sm) <(p(a) (si) ■ ■ • , Si, . . . , Sm). This second property is used 
above in the step <s„i 

3.8 The Knuth-Bendix Ordering 

For a rewrite system (with rules containing variables), the Knuth-Bendix or- 
dering <kb is based on a strict well-founded order < on function symbols and, 
additionally, a weight function w on function symbols and variables. Since our 
approach is based on a relation p (which amounts to the rewrite rules after 
all possible substitutions for variables), we describe the Knuth-Bendix ordering 
in this context. Weights are natural numbers, and the weight of any constant 
or object language variable is positive: thus every subterm has positive weight. 
At most one unary function symbol (call it k) can have zero weight, and then 
k > f for any other function symbol /. The weight of a term is the sum of the 
weights of the function symbols and variables in it. Then we have that s >kb t 
iff w{s) > w{t) and one of 



w{s) > w{t) 


(4) 


s = k'^{t) for some n > 0 


(5) 


s = f{s) and t = g{t) where f > g 


(6) 


s = f{s),t = f{t) a.nd(i,s) G, : (<kb) 


(7) 



Theorem 5. i . . - 

i it I It " 'I I 

^ ^ , The proof that <kb is well-founded is similar to that in §3.7, and so is 
somewhat abbreviated here. We define s >cut t iff w{s) > w{t) and either one of 
the rules (4), (5), (6) holds or s >kwi t holds, where <kwi is defined by: 

/(t) <kwi /(s) iff (t,s) G, r (. , (<kb)) (8) 

To show <cut is well-founded, we have that each individual rule provides a 
well-founded relation and it is easy to apply Lemma 1 to show that their union 
is well-founded, noting that if (6) applies then g k. As in the case of the 
lexicographic path order <sniQ<kwi- 

To show that Condition 1 is satisfied, suppose that I > kb r and that r' is a 
subterm of r. Assume that all proper subterms of I are in . , in which case, if 

I >kb r' then I >cut r' . We show by induction on the structure of I, that r' <kb I' 
for some subterm I' of 1. Then if I' is a proper subterm of I, Condition 2(a) is 
satisfied; if I' = I then r' <kb I and so r' <cut I, so Condition 2(b) is satisfied. 
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If w{r') < w{r) or w{r) < w{l) then w{l) > w{r') and I >kb r'. If r' = r then 
^ >kb f'- If w{l) = w{r) = w{r') and r' is a proper subterm of r, then r = K^{r') 
for some n > 0, and so I >^b r by either (5) or (7) (as the g of (6) cannot be 
k). If I >kb r by (5) then I >kb r' by (5). If I >kb r by (7), then, for some h,ri, 
I = k{h), r = fc(ri), li >kb and r' is a subterm of ri, so by induction we have 
that r' <kb I' for some I' which is a subterm of li and so of /. □ 



3.9 Dependency Pairs 

Arts & Giesl [I] describe a method of establishing termination using “depen- 
dency pairs” . They distinguish function symbols which appear at the head of 
the left-hand side of a rewrite rule (“defined symbols”) and those which do not 
(“constructor symbols”). They follow the convention that for a rule I ^ r of a 
rewrite system, I is not a lone variable, and any variable in r is also in 1. For 
each defined symbol d they introduce a new corresponding “tuple symbol” dK 
From a term t we obtain a term by changing the head symbol of t to the 
corresponding tuple symbol. 

Previously we have considered a “rule” I —>■ r after substitution, and the 
variables in our analyses have been metavariables where, for example, we might 
have considered a rule g{x) x with I = g{x), r = x, and r' a proper subterm 
of x. This approach no longer holds: I — > r will mean a rule before substitution, 
and we will use a for a substitution. 

For a rewrite rule I —>■ r, and subterm r' of r, if the head of r' is a defined sym- 
bol then ^ r'^ is a - . ^ . We now state and prove the “sufficiency” 

part of Theorem 7 of [1] . 

Theorem 6. , ^ 

() I > r / , I ^ r 

C ) ^ , 




^ ^ , Assume > is minimal such that the conditions hold. Then there is no 
instance of c^{x) > d^{y) or c{x) > d{y) where c is a constructor symbol and d 
is a defined symbol, as neither (a) nor (b) nor the requirement that < be closed 
under context require it, whence the transitivity of < cannot require it. 

We define <cut by 

gtt < scr <cut t(T 

c(x) <cut d{y) 

for any substitution a, constructor symbol c and defined symbol d. 

Then <cut is well-founded because < is and because, as remarked above, 
there is no instance of c^{x) > d^{y) or c{x) > d{y). 

To show that <cut U <sni is well-founded, we use Lemma 1(a), showing that 
<cut o <sni C <ctit. Suppose that t >cut U >s„i V. If t >cut U by rule (10) then 



(9) 

( 10 ) 
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t >cut V by the same rule. If t >cut u by rule (9) then > u^, where a proper 
subterm u' of u is rewritten to a corresponding subterm v' of u. Since u' > v' by 
assumption (a) because < is closed under substitution, we have since < 

is closed under context, and so and t >cut v. 

Finally, we show that Condition 2 is satisfied. For a rule I r and substitu- 
tion cr, so (rcr, la) G p, and subterm r' of ra, there are three cases for r'\ 

— the head of r' is a constructor symbol in r, in which case la >cut t' by (10) 

— the head of r' is a defined symbol in r, in which case r' = r\a for some 
subterm ri of r, l^ ^ rj is a dependency pair, and la >cut T\a = r' by (9) 

— r' is a subterm of xa for some variable x in r, in which case r' is a proper 
subterm of la, since any variable in r appears as a proper subterm of 1. 

4 Observations and Conclusion 

In §3.3 we had the somewhat paradoxical situation that it was necessary to 
add additional rewrite rules to enlarge the relation p to prove termination. An 
interesting question is whether we can reformulate Theorem 2 to avoid this need 
since, the larger p is, the more difficult it should be to prove termination. 

It is interesting to consider further questions of a similar nature. We prove the 
well-foundedness of i p based on certain conditions on p. Since i ( i p) = 

I p and assuming we can apply Theorem 2 to p, can we also apply it to i p 
using the same or a different choice of <cut ? In fact, we can, and with the same 
choice of <c«t- Suppose p satisfies Condition 1. Consider {C[r],C[l]) G i p\p, 
where (r, /) G p, and let r' be a subtree of C[r\. If r' = C[r], then r' <s„i C[l] 
under the assumption that all proper subtrees of C[V\ are in . .If r' is a subtree 
of r, then Condition 2(a) holds for (r', C[l]) because I is a proper subtree of C[l], 
I reduces to r, and r' is a subtree of r. Thus I, r and r' are in , . Finally, r' 

could be C'[r], where C'[l] is a proper subterm of C[l\. If C'[r] = C'[l] then I is 
in a different part of C[l] from C'[l] so r' = C'[l] is a proper subterm of C[/]; 
otherwise r' is the reduction of C'\l], and Condition 2(a) holds. 

Likewise, rewriting with p terminates if and only if rewriting with p'^ termi- 
nates: this is because i p C , p"*" C ( ' p)^ and i p is well-founded if 

and only if ( i p)’*' is. Now, when we can apply Theorem 2 to p, can we also 
apply it to p+ ? So far we have shown that if i p satisfies Condition 2, then so 
does ( I p)+ (with the same <cut), provided that i p is well-founded. The 
proof is a complex triple induction. 

If we ask how powerful Theorem 2 is, that is, which terminating rewrite 
systems can it handle, then we find that it can handle all of them, but this result 
is unhelpful. For given p, where i p is well-founded, then, writing <sub for the 
subterm relation, we can define <cut= P ° <sub- Then Condition 2(a) holds, 
trivially. Further, it can be shown that i p U <sub is well-founded: though, as 
we have seen, i (p U <sub) need not be. Since <dtQ ( ' P U <s«&)~'', we have 
<dt is well-founded. That is, where i p is well-founded, we can always find an 
appropriate relation <cut- But it may be no easier to show <cut well-founded 
than to show i p well-founded. 
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We have described a proof of the termination of a rewrite system (or any 
relation closed under context) which provides simple proofs of the termination 
of a range of rewrite systems. It provides a reasonably easy proof of the well- 
foundedness of the lexicographic and multiset path orderings (which are simpli- 
fication orderings), but it is not limited to simplification orderings. It can also 
be used to prove the termination of Knuth-Bendix orderings and a key theorem 
for the method of dependency pairs. 

There are several termination results for orderings which are not necessar- 
ily closed under context, but contain a rewrite ordering, such as the results of 
Ferreira & Zantema [9], Dershowitz & Hoot [6] and Borralleras, Ferreira & Ru- 
bio [2]. We are currently exploring the linkage between our results and these 
termination results. 



, ^ ^ We wish to thank Linda Buisman for investigating some of 

the examples, and researching the criteria for well-foundedness of a union of well- 
founded orderings. We also wish to thank Jean Goubault-Larrecq and Hubert 
Comon for pointers to the literature. Finally, we thank some anonymous referees 
for very helpful comments. 
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Abstract. In the refinement calculus, monotonic predicate transformers 
are used to model specifications for (imperative) programs. Together 
with a natural notion of simulation, they form a category enjoying many 
algebraic properties. 

We build on this structure to make predicate transformers into a 
denotational model of full linear logic: all the logical constructions have a 
natural interpretation in terms of predicate transformers {i.e. in terms of 
specifications). We then interpret proofs of a formula by a safety property 
for the corresponding specification. 



Introduction 

The first denotational model for linear logic was the category of ^ ^ ^ ^ 

([!]). In this model, formulas are interpreted by graphs; and proofs by , ^ 

(complete subgraphs). This forms a special case of domain . i. Scott. 

From a conceptual point of view, the construction of interfaces is a little 
different: first, the model looks a little more dynamic; then, ^ — the notion 

corresponding to cliques — are not closed under substructures; and finally, they 
are closed under arbitrary unions (usually, only directed unions are allowed). 

What was a little unexpected is that the interpretation of linear proofs used in 
the relational model can be lifted directly to this structure to yield a denotational 
model of full linear logic in the spirit of _/hyper/multi-coherence or finiteness 
spaces. 

A promising direction for further research is to explore the links between the 
model presented below and non-determinism as it appears both in the differential 
lambda-calculus ([2,3]) and different kind of process calculi. We expect such a 
link because of the following remarks: this model comes from the semantics of 
imperative languages; it can be extended to a model of the differential lambda 
calculus (which can be seen as a variant of “lambda calculus with resource”) 
and there is a completely isomorphic category in which predicate transformers 
are replaced by (two-sided) transition systems. In particular, all of the logical 
operations presented below have natural interpretations in terms of processes... 
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1 Relations and Predicate Transformers 

Definition 1. ^ , ///////' ; ; ; 

converse , ^ ^ = {(6, a) | (a,b) G r} 

/■ // ' ,,,rCAxB^^r'CBxC^- 

r' ■ r = {{a, c) \ (36 G B) (a, 6) G r A (6, c) G r'} 

* ^ t i ' ^ I I I ^ I 'll ~ I ^ ^ 

There seems to be three main notions of morphisms between sets. These give 
rise to three important categories in computer science: 

— Set, where morphisms are functions; 

— Rel, where morphisms are (binary) relations; 

— Pow, where morphisms are monotonic . , ■ , 

One can go from Set to Rel and from Rel to Pow using the same categorical 
construction ([4]) which cannot be applied further. 

Definition 2. . , ■ ■ i • ^ i ^ i ■ i i i • i ■ , 

'P(B) . , ,,, , ' P xCx' P(x) C P{x') 

From now on, we will consider only monotonic predicate transformers. The 
adjective “monotonic” is thus implicit everywhere. 

The term “predicate” might not be the most adequate but the terminology 
was introduced by E. Dijkstra some decades ago, and has been used extensively 
by computer scientists since then. Formally, a predicate on a set A can be iden- 
tified with a subset of A by the separation axiom of ZF set theory; the confusion 
is thus harmless. 

Definition 3. , r ^ ^ , i ^ i - B , (r) : V{A) — > V{B) 

' - I i‘i ■ (called the direct image ofr) 

{r){x) = {b £ B I (3o £ A) (a,b) £ r A a £ x} 

Note that in the traditional version of the refinement calculus ([5]), our (r) 
is written but this notation clashes with set theoretic notation and would 

make our formulas very verbose with everywhere, pt 



2 Interfaces 

Several denotational models of linear logic can be seen as “refinements” of the 
relational model. This very crude model interprets formulas by sets; and proofs 
by subsets. It is degenerate in the sense that any formula is identified with 
its linear negation! Coherent spaces ([!]), hypercoherent spaces ([6]), finiteness 
spaces ([7]) remove (part of) this degeneracy by adding structure on top of the 
relational model. We follow the same approach: 

Definition 4. ^ interfaced ^ ^ ^ |d| ( ,, _ state spacej ^ . 

, . Px , , |d| ( ,, . specification^ 
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The term “specification” comes from computer science, where a specification 
usually takes the form: 

. . ^ ' - , o 

, . - I . , II . - . , Ip 

Such a specification can be identified with the (monotonic) predicate trans- 
former pj i-^- “biggest such (/>”. This point of view is that of the wp calculus, 
introduced by Dijkstra (“wp” stands for “weakest precondition”). Note that the 
specification “goes backward in time” : it associates to a set of final states (which 
we want to reach) a set of initial states (which guarantee that we will reach our 
goal).^ 

For a complete introduction to the field of predicate transformers in relation 
to specifications, we refer to [5]. 

In the coherence semantics, a “point” is a complete subgraph,^ called a , 

Since the intuitions behind our objects are quite different, we change the termi- 
nology. 

Definition 5. X , ^ ^ ^ , >> i ^ • 

X c Px(x) ^ 

More traditional names for seeds are safety properties, or P-invariant prop- 
erties: if some initial state is in x, no matter what, after each execution of a 
program satisfying specification P, the final state will still be in x. In other 
words, P maintains an invariant, namely “staying in cc”. In particular, there can 
be no program deadlock when starting from x. 

The collection of cliques in the (hyper)coherent semantics forms a c.p.o.: the 
sup of any directed family exists. The collection of seeds in an interface satisfies 
the stronger property: 

Lemma 1. ^ ^ ^ , X (5(X),C ) ^ , ■ / , > 

^ ^ , 0 is trivially a seed; and by monotonicity of P, a union of seeds is a seed. 

□ 

The fact that seeds are closed under union may seem counter-intuitive at first; 
but one possible interpretation is that we allow for non-deterministic data. For 
example, all denotational models of linear logic have an object for the booleans: 
its state space is {t, /}, and the cliques are always 0, {t} and {/}. The union of 
{t} and {/} is usually not itself a clique because “one cannot get both true and 
false”. However, if one interprets union as a non-deterministic sum, then {t, /} 
is a perfectly sensible set of data. 

However, nothing guarantees that a seed is the unions of all its finite subseeds; 
a given seed needs not even contain any finite seed!. (The canonical example 
being Px{x) = X, with X infinite.) 



^ In a previous version, interfaces also had to enjoy the property P(0) = 0 and 
P(|X|) = |X|. This condition doesn’t interact well with second order interpreta- 
tion and has thus been dropped. 

^ The intuition is that a set of data is coherent iff it is pairwise coherent. 
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3 Constructions on Interfaces 

A denotational model interprets formulas as objects in a category (and proofs 
as morphisms). We thus need to define all the constructions of linear logic at 
the level of interfaces. The most interesting cases are the linear negation and the 
tensor product (and the exponentials, but they will be treated in section 6). 

Note that there will always be an “ambient” set A for predicates. We write 
X for the A-complement of x. 

Let X = (\X\,Px) and Y = (\Y\,Py) be two interfaces; 

Definition 6. dual ^ ^ , - , - , ^xi^) ~ Px{x) 

X^ ^ antiseed ^ , X ^ ^ ^ X^ 

In terms of specifications, a G P^{x) means. , , ^ - , . a, 

. , , , . . - , . - , . , . . I . . , II. , , . a;- If P is concerned 

with wp calculus, then P^ is more concerned with wlp calculus. (Weakest liberal 
precondition, also introduced by Dijkstra: we are not interested in termination, 
only the states which we will never reach.) 

This operation of “negation” is the reason we do not ask for any properties 
on the predicate transformer. It respects neither continuity nor commutation 
properties! In many respects, this operation is not very well-behaved. 

Definition 7. tensor , X Y ^ ^ , (|A| x \Y\,Px ® Py) 

Px®PY{r) , - , . 

U Px{x) X Pviy) 

xxyQr 

X^Y 

Px X Py is the most natural transformer to construct on |A| x \Y\. It was 
used in [8] to model parallel execution of independent pieces of programs. The 
intuition is the following: a program satisfies Px <8> Py if, when you start it 
in the pair (ai,bi) G Px X Prir) of initial states, the two final states will be 
related through r. In particular, this means that execution is^ ^ ^ ^ ^ : both 
executions need to terminate. 

Definitions. with , X Y ^ ^ , {\X\ + \Y\, Px SzPy) 

Px & PY{x,y) = {Px{x)‘,PY{y)) ^ ‘ ‘ X kY 

This operation is not very interesting from the specification point of view: it 
is a kind of disjoint union. 

Definition 9. ^ ^ ^ ^ , , i / 

-O=(0,Id) T = 0-L ! = ({*}, Id) T = 1-L 
-A0y('pius;, , , (A-L&y-L)-^ 



® It uses implicitly the fact that PdAI -|- |y|) ~ P{\X\) x "Pdl^l). 
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- X^Y ^ , (X-L (g>y-L)-^ 

~ X ^ \ X^^Y 

We have: 

Lemma 2. _L = 1 T = 0 X ®Y = X kY 

The proof is immediate. The first two equalities are satisfied in several of the 
denotational models of LL; the second one is a little less common. (For example, 
it is satisfied in finiteness spaces, but in no ...-coherence spaces.) 

As an application of the definitions, let’s massage the definition of A ^ B 
into something readable: 

(a, b) € A— o B{r) 

{ definition } 

(a, 6) G [A^^B){r) 

{ definition, involutivity of A } 

(a, 6) G (A (g) B^)'^{r) 

{ definition of A } 

(a, b) ^ A <g) B^(r) 

{ definition of (g) } 

^((3a; X y C f ) a G A(x) A b € B^(p)) 

AA { logic } 

(Vx X y C r) a ^ A{x) V 6 ^ B^{y) 

AA { logic } 

(Vx X y Cr) a G A{x) 6 G B{y) 

{ lemma: a; x {/ C r iff {r)x Gy} 

(V(r)x Qy) a G A(x) 6 G B{y) 

{ change of variable: y y } 

(V(r)x Cy) a G A(x) 6 G B{y). 

From this, we derive: 

Lemma 3. (a, b) G A— o B{r) a G A{x) ^ b G B{{r)x) ,, x C \X\ 

, ' ^ . X, Id|x| G 5(A ^ A) 

The shapes of images along X ^Y are usually difficult to visualize, but we 
have the following on “rectangles”: 

Lemma 4. X Y , ^ ^ ^ ,, x C |A| ^ . y Q \Y\ 

Px ® Py{x xy) = Px{x) x Pyiy) C Px ^ Py{x x y) 

^ ^ , That Px ® Py{x X y) = Px{x) x Py{y) is straightforward. 

Suppose now a G Px{x) and b G Py{y), let’s show that (a, b) G Px ^ Py{x x y): 
suppose x' X y' C X X y 
{ claim (see below) } 

X <G x' y y Cy' 

{ monotonicity } 
a G Px(x') y bG Py\y'). 
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, , , x'xy'Cxxy^xCx'\/yCy' 

, , . , . > ■ suppose ^{x C x') A ^{y C y') 

^xf)x'^%f\yf]y'^% 

^xxyf\x'xy'^% 

=J> ^(x' X y' C x X y). □ 

Furthermore, seeds in A and B are related to seeds hi A® B and ^ ^ i? in 
the following way: 

Lemma 5. A ^ ^ B . ^ ^ 

(i) . X G S{A) ^ _ y G S{B) ^ xxyGS{A(^B) 

(a) . X G S{A) ^ _ y G s\b) ^ X X y G s\a^ B) 

^ ^ , The first point is obvious; the second point is a direct consequence of 
Lemma 4. □ 



4 Linear Proofs and Seeds 



The previous section gave a way to interpret any linear formula -F by a interface 
F* . (When no confusion arises, F* is written F.) We now interpret linear proofs 
of F as subsets of the state space of F*A We refer to [1] or the abundant literature 
on the subject for the motivations governing those inference rules. 

(1) If 7T is then 7T* = {*}; 

h 1 

(2) if 7 T is then tt* = 0 ; 



i~ T 



(3) if TT is then tt* = {( 7 , *) | 7 G }; 

7Tl h F, 4 , F . , , - 

(^jifiris then 7 T* = {( 7 , (a, 6 )) I ( 7 , 0 , 6 ) G 7 T*}; 

GF,A^B 

. 7Tl h F,4 7T2 F Z\,F 

(5) if TT IS 

G F,A,A® B 

then 7 T* = TTi (g) 7 T 2 = { ( 7 , S, (a, b)) \ ( 7 , a) G A (5, b) G 

7Ti h F, 4. . , , - 

(fijifiris then 7 T* = {( 7 , (l,a)) I ( 7 , 0 ) G ttC}; 

G F, A® B 



^ Recall that a sequent Ai, . . . A„ is interpreted by Ti A’ . . . A„ and the notation tt G F 
means “tt is a proof of sequent F” . 




Predicate Transformers and Linear Logic 



121 



( 7 ) if 7T is - 


7Ti h T, B 


- then 7T* = {(7, (2,6)) 1 


(7,6) G <}; 


h T, A 0 B 


( 8 ) if 7T is - 


7Tl h T, A 


7T2 h T, B 




h T, A & B 






then 7T* 


is {(7, (1, a)) 1(7, a) G 7T*} 


U{(7, (2,6))|(7,6) G tt* 


( 9 ) if 7T is - 


7Tl h T, A 


7T2 h A, A^ 





h r, A 

then 7T* = { (7, 5) I (3 a) (7, a) G A {S, a) G tt^ } . 



This interpretation is correct in the following sense: 

Proposition 1. , tt , , , , , T’, , ^ p* 

^ ^ , By induction on the structure of tt: we will check that seeds propagate 
through the above constructions. It is mostly trivial computation, except for two 
interesting cases: 

(5): suppose that tti is a seed in T ^ ^ and that tt2 is a seed in A^ B. We need 
to show that tti 0 7T2 = { (7, S, {a, b)) \ (7, a) G tti A (< 5 , &) G 7T2} is a seed in the 
sequent B ^ A^ {A® B). 

Let (7, 5, (a, b)) G tti (g) 7T2 

(7, a) G 7Ti and ( 5 , b) G tt2 
=^>{711 and 7T2 are seeds in F, A and A, B } 

(7,0) G F,A{'Ki) and {5, 7^2) G A,B{tt2). 

By contradiction, let (7, d, (a, 6)) ^ F,A,A® B{-kx ® 772) 

(7, ( 5 , (a, b)) G r-*- (g) A-^ (g) (A (g) i?)'‘-(7Ti (g) 7T2) 

{ for some uxuxrC7ri(g)7r2: } 

7 G F-^{u) A (5 G Z\-*-(r;) A (a, 6) G (A (g) i?)'*^(r) 

. . . A X y C r) a G V 6 G . 

In particular, define x = {tti)u and y = {7T2 )v; it is easy to show that x x y Cf, 
so that we have a G A-*-(x) or & G B^{y). 

Suppose a G A-^{x): we have 7 G F^{u) and uxxFWi (easy lemma); so by 
definition, (7,0) G F-^ (g) A-^{tF), (7, a) ^ F,A(7Ti)! This is a contradiction. 

Similarly, one can derive a contradiction from b G B^{y). 

This finishes the proof that tti (g) 7T2 is a seed of F, A, A® B. 

(9): let 7Ti be a seed in F,A = F^ -<7 A and 7T2 a seed in A, A^, ttJ' is a seed 

in gI ^ Z\. Let’s show that tt = {(7, 5 ) | ( 3 a) (7, a) G tti A {6, a) G 712} = ttJ' • tti 
is a seed in F, A. 

Suppose (7, S) G ttJ' • 7Ti, that (7, a) G tti and (a, S) G ttJ' for some a. We 
will prove that {7,6) is in F,A{tt) = F^ ^(^)- According to Lemma 3 , we 
need to show that if 7 G F-^{u) then 6 G A{{tt)u). 
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Let 7 G r-^(u) 

{ (7, a) e 7Ti c r-L ^ -4(7 ti) } 
a G A((7ri)M) 

{ (a,S) Gtv2 G A{tv2) } 

6 G Z\((7r5")(7Ti)M) 

6 G A{^{'k)u). □ 



5 Morphisms, Categorical Structure 

To complete the formal definition of a category of interfaces, we need to define 
morphisms between interfaces. This is done in the usual way: 

Definition 10. , ^ ^ , , X V ^ ^ _ 

Here is a nicer characterization of linear arrows from X to Y: 

Lemma 6. r G S{X —oY) (r)(Pjf(x)) C Py((r)(a;)) ,, x C |X| 

^ ^ , Suppose r is a seed in X ^ F, let b G (r)Px{x) 

there is some a s.t. (a, b) G r and a G Px{x) 

{ r is a seed in X ^ F } 

(a, 6) G Px ^ Py{t) 

{ definition of ^ } 
b G Py{{t)x). 

Conversely, suppose {r)Px{x) C PY{r){x)] let (a, 6) G r, and a G Px{x). We 
have b G {r)Px{x), and by hypothesis, b G PY{{r)x). □ 

Lemma 7 . , r G S{X —oY) ^ . r' G S{Y —oZ) ^ r' ■ r G S{X —o Z) 

^ ^ , This is the essence of point (9) from Proposition 1; or a simple corollary 
to Lemma 6. □ 

Taken together with Lemma 3, this makes interfaces into a category: 

Definition 11. Int ^ 



This category is an enrichment of the usual category Rel. The construction 
can be summarized in the following way: 

Lemma 8. Int . . , . Rel . ,, 

L- ) ' ' ' 

X ^ ^ Ptx= V{X) V{X) 

- , r C x‘xY , P GPvx , - QG Pry, , P{r)Q {r) ■ P C Q ■ (r) 
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Let’s now turn our attention to the structure of this category: 

Lemma 9. Int T ^ ^ , , , , - 

^ ^ , This is immediate. □ 

Lemma 10. , , , , , , , i • i i 

, Involutivity is trivial; contravariance is only slightly trickier: 
r is a seed in B 
{ Lemma 6 } 

\/x {r)A{x) C B{r)x 



Wx B{r)x C {r)A{x) 

{ lemma: y C {r)x iff (r~)y C a; } 

Va; {r'")B{r)x C A{x) 

{ in particular, for x of the form {r~)x\ we have x C (r)(r~)® (lemma) } 

\/x {r~)B^{x) C A-*-((r"")a:) 

is a seed in B^ —o A-^. The action of on morphisms is just S' . □ 

Corollary 1. Int ^ ^ 0 ^ ^ ^ - ® , ; ; 

It is now easy to see that linear arrows transform seeds into seeds, and, in 
the other direction, antiseeds into antiseeds: 

Proposition 2. , , - i ■ ^ 

(^) (r) 5(X) , 5(F) 

(ii) (r-) 5(r^) , 

^ ^ , Let r G S{X —oY) and a; C X(a:); we want to show that {r)x C Y{{r)x). 
Let b G {r)x 

(3a) (a, b) G r A a G X 

{ r is a seed in X ^ F } 

(3a) {a, b) G X —o Y (r) A a G X 

{ definition of X ^ F with the fact that {r)x C {r)x } 
b G Y{{r)x). 

Showing that (r) commutes with sups is immediate: it commutes with arbi- 
trary unions, even when the argument is not a seed. 

The second point follows because S G 5(F-*~ ^ X^). □ 

Lemma 11. ^ ^ , , , , - , ^ -L 

, We need to show the bifunctoriality of 0. This was actually proved in 
the previous section (Proposition 1, point (5)). The bifunctoriality of ^ follows 
by duality; and the rest is immediate. □ 

As a summary of this whole section, we have: 

Proposition 3. Int ^ ' , ' ( , > ■ / / ' ■ ■ 
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^ ^ , This amounts to checking trivial equalities, in particular, that the follow- 
ing diagram commutes: (where d is the natural isomorphism X ~ 

X ^ y-L ^ y-L 



X-L-L ^ y-L-L 

It is immediate because d = Id and = X . □ 

6 Exponentials 

The category Int is thus a denotational model for multiplicative additive linear 
logic. Let’s now add the exponentials \X and IX. 

Unsurprisingly, we will use finite multisets; here are the necessary definitions 
and notations: 

Definition 12. S 



. ('Si)ie/ , - {^j)jeJ 


, , , , , , s. 


1 ' (■^i) — i^j) ; 


a. I ^ J ^ 






, " ■ A A A 


! ' 1 'll 


h] 


'‘A‘\A‘- 


r (S^) 

; ' 1 1 1 


S 


tit 1 i i i * i * ' 




■ > ! i 1 / 


- ^ - y , , , , 


. S, 


^ {[a, 6] 1 a G xf\h G y} 


1 ( ■ ' ■ III 1 


, Hie/ , 


1 - 1 * 1 • • , - 


. u ^ . V , , 


, , . , 


{u + V zzGC/AuGU} 


U*V ( , ' 


1 ' ' ' II 11*111 


, J 



Definition 13. , X={\X\,P),. , \X = {Mf{\X\),lP) 

[oi, . . . a„] G !P([/) (3( ^i)l<i<n) I I Xi ^ U A (Vi — 1, . . . 7i) di G _P(Xi) 

i 

7X = (!(X-L))-^ 

Recall that a multiset [a^] is in \~\xi iff there is a bijection cr s.t. Vz, G 

A useful intuition is that [ai, . . .] G IP{U) iff [oi, . . .] is in a “weak infinite 
tensor” A®"(t/). In terms of specifications and programs, it suggests multi- 
threading: for an initial state [ai, . . . a„], start n occurrences of the program in 
the states oi,. . . a„; the final state is nothing but the multiset of all the n final 
states.® The “weak” part means that we forget the link between a particular 
final state and a particular initial state. 

® Defined on the disjoint sum of the different index sets. 

® The interpretation of !, like that of ig) is a synchronous operation. 
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Note that this is a “non-uniform” model in the sense that the web of \X 
contains all finite multisets, not just those whose underlying set is a seed. It is 
thus closer to non-uniform (hyper)coherence semantics (see [10] or [11]) than to 
the traditional (hyper)coherence semantics. 

Let’s prove a simple lemma about the exponentials: 



Lemma 12. 



(*; [a] G \A{U) 
a G A{x) 

(it) l + l' € \A{U) 
(in) [a] G 1A{U) 
(w) l + l' & 1A{U) 



UCMf{\A\) 

, , , . X ■ I ^ - , U ( Vo G X [a] G ^ 

V*V CU IG IA{V) , - r G IA(V') 

,, X . ^ , U , a G A(x) 

„V*\Acu‘ig 7A{V) , /' G 7A{V') 



^ ^ , The first point is immediate and the second is left as an exercise. The 
third and last point are consequences of the definition of ? in terms of ! . □ 



Define now the interpretation of proofs with exponentials: 



(10) if 7T is 

(11) if 7T is 

(12) if 7T is 



TTi G r, A 



h r,7A 



then 7T* = {(7, [a]) ] (7,0) G <}; 



7 Tl h T 

then 7T* 

h r,7A 
7Ti h r, ?A, 7 A 
h r,7A 



= {(7JO I 7 G Ti-J}; 

then TT* = {(7,^-1- /') 



G TT*}; 



(13) if 7T is 



7Ti h 7r, A 



h ?r, !A 

then we define (71 , ... 7;, [a 1 
a partition 7^ = Ei<»<„7) 
( 7 ), ••■ 7 /, a*) G TTf. 



. . . an]) G TT* if for each j = 1,. . .1, there is 
and the following holds: for each i = l,...n, 



Proposition 4 . , tt , , . , . G T , , , - , • ^ 

^ ^ , Points (10) and (11) are immediate. 

(12): suppose tt\ is a seed T, 7 A, 7 A and let (7 , 1 + I') be an element of tt. 
By contradiction, suppose that (7 , 1 + I') ^ F, 7A{tt) 

ij,i + i')Gr^(^\A^{w) 

47 { for some u x U G W } 
jG r^(u)Al + l' G lA^iU) 

47 { Lemma 12 } 

7 G r-L(u) A{3V*V' cu) IG \A^{V) M' G \A^{V) 

=7 { lemma: ttxPxP'C^} 




126 P. Hyvernat 



7 G r-L(u) A I G \A-^{V) A r G \A-^{V) 

=> 

( 7 , 1, 1') G r-L (g) \A-^ (g) !A-L( 7 fi) 

<S4> 

( 7 , 1 , ^') ^ -T, ?Al, ?A( 7 Ti), which contradicts the fact that tti is a seed in ?^, ? 2 l. 

(13): suppose that F contains only one formula B. The general case will follow 
from a lemma proved below (Lemma 13). Suppose that tti is a seed in 7B,A; 
let (^, [oi, . . . a„]) be in tt, (li,ai) G tti for i = l,...n, for some partition 
of 1. 

Suppose by contradiction that {I, [oi . . . a„]) ^ IB, !Gl( 7 r) 

(I, [oi, . . . an]) G IB-*- (g) ?^^( 7 f) 

A7 { for some ?7 x L C 7f } 

I G \B^{U) A [oi, . . . a„] G 7A^{y) 

{ definition of ?A } 

I G \B-'-{U) A (^(V(a;i)) \~\xiQV ^ (3f) at G A{Fi)"j 
{ Lemma 12 for 1: for some (Ui) s.t. \~\^Ui C U } 

(Vz) h G IB^m A ((V(xi),) C F ^ (3i) . . . 

{ define Xi = lemma: \~\^Xi(^V } 

((Vz) k G !B^(F)) A ((3i) ai G 
{ lemma: F x Xi C wp } 

(3z) (317i X Xi C Tfj;) /i G \B^{Ui) Aai€ A(x() 

(k, ai) G IB-'- (g) xl-‘-(7fT) 

{k, ai) ^ IB, A{t:i), which contradicts the fact that tti is a seed in IB, A. □ 

Lemma 13. , ,, , , ^ X ^ Y, !(X k Y) = !X 0 !Y 

^ ^ , The state spaces are isomorphic via Af/(|3f| + |F|) ~ Mf{\X\)xMf{\Y\). 
We will use this transparently, for example G i? iff {lx j ly) G R. This is 

possible because the sets are disjoint: we can always split a multiset in x*y into 
two multisets in x and y. (In other words: if x n y = 0 then x * z/ ~ x x y.) 

Notice also that (1, a) G X kY{x,y) ^ a £ X{x) so that when considering a 
particular element of X + Y{x,y), only one part of the argument (x, y) is really 
important; the other can be dropped (or replaced with 0 ). 

C: suppose [oi, . . . a„] + [bi, G \{X & Y){R) 

<tA { for some (xi)i=i.,,„ and (j/j)^=i.,.^ } 
n* * rij % C i? A (Vz) a^ G X{xi) A (Vj) 6 j G Y (yj) 

{ define U' = Hi Xi and V' = flj Vj } 

{3U' xV CR) [oi] G IX {U') A [bj] G IY{V) 

{[ai,---a„],[bi,...bn,]) G !X (g) !y(i?). 

D: suppose ([ai, . . . a„], [ 61 , . . . &„]) G !X(g)!y(i?) 
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{ for some f/' x F' C } 

[ai,...a„] G \X{U')A[h,...b^] G \Y{V') 

{ for some (xi) s.t. \~\xiAU' and (j/j) s.t. |~| Vj } 

(Vi) a* G X{x,) A (Vj) bj G Y{yj) 

{ Hi X rij J/j Q [/ X V and thus fli Xi *\~\jyj ^ R} 

[ai, . . . a„] + [&i, . . . bm] G !(X & Y){R). □ 

This allows us to transform any sequent IF = IBi ^ . IBn into l{Bi 0 . . . Bn), 

and thus, formally ends the proof of Proposition 4 point (13). 

7 Linear Interfaces and Linear Seeds 

What is the structure of those interfaces that come from a linear formula? The 
answer is unfortunately trivial: 

Proposition . F ^ . t Ff = Id-p|F| 

^ ^ , Immediate induction. Let’s treat the case of the exponentials: 
suppose F{x) = x; suppose moreover that [ai, . . . a„] G U 

ai G T’({ad) for all i and = {[®i> ■ • ■ ^ F 

[ai,...a„] G \F{U) 

Similarly, suppose [oi, . . . a„] G \F{U) 

each ai G F{xi) = Xi for some (xi) s.t. \~\xiFU 
G I I Xi } 

[ai, . . . a„] G [/. □ 

In particular, every subset of jP’l is a clique and an anticlique: the situation 
is thus quite similar to the purely relational model. In the presence of atoms 
however, interfaces become much more interesting. 

Adding atoms is sound because the proof of Proposition I doesn’t rely on 
the particular properties of interfaces. Note that we need to introduce a general 
axiom rule and its interpretation: 

( 14 ) if 7T is then tt* = Idijfi = {(a, a) | a G |A1|}. 

h A, X-L 

This is correct in the sense that tt* is always a clique in A ^ X^ . 

With such atoms, the structure of linear interfaces gets non trivial.^ For 
example, let’s consider the following atom A = ({-,+}, P) defined by: 

- P(0) =0 and P(|A|) = |A|; 

- P{{+}) = {-} and P({-}) = {+}. 



We can extend this to a model for fl^ logic, and even to full second order, see [12]. 
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This is the simplest example of an interesting interface, and corresponds to 
a “switch” specification. (Interpret - as “off” and + as “on”.) 

Lemma 14. , P ^ ^ 

(t) =P 
(n) P . P = Id 
(m) 5(X) = {0, {+,-}} 

(iv) {(+,-),(-,+)} 

^ ^ , This is just trivial computation... □ 

Point (iv) shows in particular that a seed in X (g) Y needs not contain a 
product of seeds in X and Y . (Compare with Lemma 5.) 

The hierarchy generated from this single interface is however still relatively 
simple: call a specification . . , , if if commutes with non-empty unions 

and intersections. 

Lemma 15. P , . , , P . 

‘ f\ ^ \ F ^ if) 

F^ 

A less trivial (in the sense that it is not deterministic) specification is the 
following: if A is a set, magicjf(a;) = X. In terms of programming, the use of 
the magic command allows to reach any predicate, even the empty one! 

Lemma 16. Id|jf| ^ magic^ ^ magicj(-(Id|x|) . A yf 0 

Thus we cannot strengthen the definition of seeds to read “a; = P(x)” without 
imposing further constraints on our specifications. It is still an open question 
to find a nice class of predicate transformers for which it would be possible. 
(However, considerations about second order seem to indicate that strengthening 
the definition of seeds in such a way is not a good idea.) 

In the case with atoms, because the structure of seeds (sup-lattice) is quite 
different from the structure of cliques in the ...-coherent model (domain), it is 
difficult to relate seeds and cliques. In particular, a seed needs not be a clique 
(since the union of arbitrary cliques is not necessarily a clique); and a clique 
needs not be a seed (since a subset of a seed is not necessarily a seed) . 



Conclusion 

One aspect which was not really mentioned here is the fact that linear arrows 
from Ato B are equivalent to the notion of,^ . . , ■ , (Lemma 6) 

from the refinement calculus. In particular, a linear proof of A ^ P is a proof 
that specification P , , , ^ ^ specification A. It would interesting to see if any 



Where {f){x) = {/(a) \ a€ x}. 
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application to the refinement calculus could be derived from this work. In the 
same direction, trying to make sense of the notions of . . . , ■ , > 

or of , ^ ^ ^ in terms of linear logic could prove interesting.® 

The fact that this model is degenerate in the propositional case is disappoint- 
ing, but degeneracy disappear when we consider fl^ logic, and , when we 

consider full second-order (see [12]). The point of extending this propositional 
model to fl^ is to remove the dependency on specific valuations for the atoms 
present in a formula. 

One the interesting consequences of this work is that a a proof of a formula F 
gives a guarantee that the system specified by the formula F can avoid dead- 
locks seems to point toward other fields like process calculi and similar models 
for “real” computations. This direction is currently being pursued together with 
the following link with the differential lambda-calculus ([2]): one property of 
this model which doesn’t reflect any logical property is the following; we have a 
natural transformation A —o lA called . , , which has a natural inter- 

pretation in terms of differential operators on formulas (see [3]). Note that such 
a natural transformation forbids any kind of completeness theorem, at least as 
far as “pure” linear logic is concerned. 
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Abstract. The aim of this work is to give an alternative presentation 
for the multiplicative fragment of Yetter’s cyclic linear logic. The new 
presentation is inspired by the calculus of structures, and has the inter- 
esting feature of avoiding the cyclic rule. The main point in this work is 
to show how cyclicity can be substituted by deepness, i.e. the possibility 
of applying an inference rule at any point of a formula. We finally de- 
rive, through a new proof technique, the cut elimination property of the 
calculus. 

Keywords: proof theory, linear logic, cyclic linear logic, calculus of 
structures, Lambek calculus. 



1 Introduction 

A non-commutative version of linear logic appeared as soon as linear logic was 
published [1]; in 1987 Jean Yves Girard, in a series of lectures, suggested a 
version of linear logic containing non-commutative connectives. This logic was 
later fully developed by Yetter [2] and named Gyclic Linear Logic (CyLL). This 
immediate interest for a non-commutative logic can be explained by the fact 
that linear logic puts great emphasis on structural rules, and so it was natural 
to consider the commutativity rule and check whether it is possible to define a 
proof system without it. Looking at the subject from a semantic point of view, 
non-commutative connectives are present in the “logic of quantum mechanics” [3] 
a logic aiming to model empirical verification and containing a non commutative 
connective “and then” (&). In this logic, the formula ASzB is interpreted as “we 
have verified A and then we have verified B” . Non-commutative connectives are 
present also in Lambek’s syntactic calculus [4], a calculus modeling linguistic 
constructors. Both these calculi are strictly related with cyclic linear logic, in 
particular, Lambek’s calculus can be seen as a fragment of the multiplicative 
cyclic linear logic. Later on the cyclic linear logic has been extended by the 
introduction of a commutative version of the multiplicative connectives [5,6], 
leading to the definition of non-commutative logic (NL), a logic that encompasses 
both cyclic linear logic and standard linear logic. 
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The multiplicative fragment of cyclic linear logic can be simply obtained by 
taking the multiplicative LL, and substituting the structural rule of Exchange: 

^ the list T is a permutation of the list A 
with the Cycling rule: 

Cycling 

Cycling rule is considered so crucial that the whole logic is named after it. 
However this rule still misses a natural explanation, and it is often explained in 
terms of necessity: 

The reader should note that in terms of the semantics we will develop, 
the seemingly unnatural Cycling rule is forced by having a system with 
a single negation ... [2] 

More recently Guglielmi proposed the calculus of structures (CoS) [7] as 
a calculus for defining logics, alternative to sequent calculus and whose main 
feature is deep inference, that is the possibility of applying inference rules ar- 
bitrarily deep inside formulae. This greater liberty in applying inference rules 
can be used to treat logics whose formalization in the sequent calculus is not 
completely satisfactory (as modal logic [8]), or to ensure structural properties 
for the derivation, properties that are not present in sequent calculus derivations 
(as locality [9, 10]). Moreover there are examples of logics that cannot be treated 
at all in sequent calculus [7]. 

In this work, we present cyclic linear logic using the CoS. We show that 
the cycling rule can be avoided in the CoS formulations, namely, we show that 
if one takes the formulation of multiplicative linear logic in the CoS and then 
simply drops the commutative rules for par and tensor, one immediately obtains 
a formulation of cyclic linear logic (with no cycling rule present) . This fact gives 
an explanation for the cycling rule, i.e. the cycling rule is a rule that recover the 
lack of deep inference in the sequent calculus. More in detail, deep inference can 
be, informally, described as follows: 

for any formulae A, B and positive context S, from A ^ B and S'[H] 
derive S'[S]. 

Deep inference as a rule is normally not present in proof systems but one can 
argue, after having defined positive contexts, that deep inference has to be an 
admissible rule. In our work, we show that, with respect to admissibility, the 
cycling rule and deep inference are equivalent, i.e., for any proof system contain- 
ing all the remaining rules of cyclic linear logic, the cycling rule is admissible if 
and only if deep inference is admissible. Therefore, the CoS gives a method for 
substituting, in Yetter’s words, a ^ ^ ^ : cycling, with a natu- 

ral one: deep inference. The proof transformation between the two systems does 
not add complexity cost: given a CyLLproof in sequents calculus, it is possible 
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to define a corresponding proof in the CoS containing the same order of applied 
rules. 

As a further result, in this work we present a new technique for proving 
cut elimination that can be usefully employed in the treatment of other logics 
inside the CoS. The CoS is a very recent formalism and so there is the need 
of developing a bunch of techniques for obtaining meta-theoretical results. Our 
original proof of cut elimination is a step in this direction. 

The article is organized as follows: Section 2 gives a short explanation of 
the calculus of structures, Section 3 formalizes the multiplicative linear logic 
in the CoS, Section 4 presents cyclic linear logic together with a proof of cut 
elimination. Section 5 gives a short account for possible future works. 



2 Calculus of Structures 

The CoS is characterized by two main features, the possibility of applying infer- 
ence rules at any point in a formula (deep inference) and the idea to consider 
formulae up to an equivalence relation equating formulae provable equivalent by 
some elementary arguments. The equivalence classes of this relation are called 
^ . In this article we retain the first feature of the CoS but drop the 
second one, i.e. we do not use structures and work directly on formulae. The 
main reason for this choice is the fact that the cut elimination proof, given in 
following, needs to consider a proof system where also formulae belonging to the 
same equivalence class are kept distinct. As a consequence, we do not present 
here the true CoS but a slightly different formalism using a different syntax and 
having a different treatment of the equality. The reader not familiar with the 
CoS will gain a more direct presentation: we use only formulae and we avoid 
the syntactic overhead caused by structures. The reader familiar with the CoS 
should have no problem in relating the two presentations. 

Before introducing our formalism, we want to present an alternative view 
of the sequent calculus. In constructing a derivation for a formula A, in se- 
quent calculus, one reduces the derivability of a formula A to the derivability 
of a set of sequents. That is, in the intermediate steps of the construction of a 
bottom up derivation of A, one reduces the problem of deriving A to the prob- 
lem of deriving a set of sequents. The intuitive meaning of this set of sequents 
(let it be b ? ■ ■ ■ ^ ^l^ni ^ ^2,1 1 ■ • ■ : ^2,U2 • • • ^ ^m,l j ■ ■ ■ 5 ^m,nm ) the 

formula (Bi^'S’ . . 0 (i?2,i'S’ . . .'S’B2,n2) • . • C) (i?m. I'S’ . . In 

fact one can easily map a set of derivations for the sequents h Bi^i, . . . 
h i?2,i, ■ • • 5 B2^u2 ■ ■ ■ 1“ Bm,i, • • ■ , Bm,nmi i>^to & derivation for the formula and 
vice-versa. One can see the above set of sequents as a different writing of the 
previous formula. This alternative writing of a formula is a way of marking the 
main connectives to which inference rules can be applied. We argue that sequent 
calculus is a formalism for writing derivations where the main connectives have, 
at most, syntactic deepness two. In this respect, the most remarkable difference 
between sequent calculus and the CoS lies on the fact that in the CoS rules can 
be applied at an arbitrary deepness inside a formula. 
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In the CoS there is more freedom in applying rules, and as a consequence, 
derivations loose some of their internal structures but on the other hand there 
are many examples of logics where the use of deep rules gives some advantages 
from the point of view of the proof theory [9, 7, 8, 10]. 



3 Multiplicative Linear Logic 

As a first step in presenting cyclic linear logic, we present multiplicative linear 
logic (MLL) [1] in the CoS. We use the standard syntax of multiplicative linear 
logic, i.e. our formulae are given by the syntax: 

A := _L I 1 I a I a I {A^A) \ (A 0 A) 

Formulae in the form a, a are called atomic. We denote by a the ^ ^ ^ of a. 

The negation of an arbitrary formula A is syntactically defined by the following 
(De Morgan) rules: 



{A>8B) = B® a 

A®B = B^A 



- A 
a = a 




3.1 Equivalence Between Formulae 

As we already remarked, the CoS introduces the notion of structures which are 
equivalence classes of formulae. Formulae contained in the same equivalence class 
are considered to be elementary logical equivalence. In a derivation there is al- 
ways the freedom to choose the most suitable representative of a structure. In 
this way, it is possible to omit what is considered bureaucracy, and so better 
highlight the important steps in a derivation. Here we follow a different ap- 
proach, we do not use structures and work directly on formulae. An abstract 
motivation for our choice is the idea that working with structures, hence with 
equivalence classes, it is possible to hide some interesting aspects of the proof 
theory. A more concrete argument against the use of structures is the fact our 
cut elimination proof relies on the distinction between formulae belonging to the 
same equivalence class and cannot be presented in term of structures. 

Having decide to work directly on formulae, we need to introduce some rules, 
not explicitly present in the CoS, allowing to substitute, in a derivation, a formu- 
lae with by an elementary equivalent one. This can be obtained by introducing 
a set of rules, each rule stating a particular property of a particular connec- 
tive. However, in order to have a more compact presentation, we group together 
these “equivalence” rules in a single rule. To this end we introduce a relation ~ 
between formulae; ~ related formulae that can be shown equivalent by a ^ ^ , 
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application of the commutativity, associativity and identity laws for the con- 
nectives par and tensor. Note that in definingthe relation ~ we do not use any 
symmetric or transitive closure, hence ~ is a equivalence relation. The rela- 
tion ~ is defined by the following set of schemata: 



A>SB - 


- B^A 


Par commutative 


A^B - 


B®A 


Times commutative 


A^{B>SC) - 


- (A>S>S)>S>C 


Par associative 


A (g) (B (g) C) - 


- [a®B)®C 


Times associative 


±^A - 


- A 


Par unit L 


A ^ 


- A>S± 


Par unit R 


1 (g) A - 


- A 


Times unit L 


A ^ 


A(g) 1 


Times unit R 



3.2 Proof System 

We take full advantage, in presenting our calculus, from the fact that logical 
rules are closed by positive contexts. Positive contexts are generated by the 
grammar: 



S' ::= o I (^>S>S) I (S>S>^) | (A (g) S) | (S(g)A) 

we denote by S[A] the formula obtained by replacing, in the structural context 
S, the place holder o by the formula A. 

The proof system, for multiplicative linear logic, is given by the following set 
of inference rules: 



— Empty (Emp) 



S[A] 



if A 



B 



Equivalence (Eq) 



^[ 1 ]_ 

S[A^A] 



Interaction (Int) 



S[A (g) A] 



Cut 



S[{A>^B) (g) C] 
S[A>^{B (g) C)] 



Switch (Sw) 



As we already remark, the Equivalence rule can be seen as a compact way to 
represent a set of inference rules, namely the 8 rules obtain by considering, one 
by one, the 8 schemata defining the relation ~. 
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Definition 1. _ ^ ^ \- A . , ' , . 



The article [11] contains a presentation of multiplicative exponential linear 
logic (MELL) in the calculus of structures. Apart from the differences in the 
syntax and in the equivalence rule, we use the same rules presented in [11] for 
the multiplicative connectives. Similarly to what has been done in [11] we can 
prove that our calculus satisfies the cut-elimination property and is equivalent 
to multiplicative linear logic. 

Proposition 1. ^ 

(i) hA . A , MLL 

( ii ) '/a ^ , ' , , , , 

We omit proofs since they are already present in [11] and can be easily derived 
by the corresponding proofs for cyclic linear logic given in the next sections. 



4 Multiplicative Cyclic Linear Logic 



Cyclic Linear Logic can be optained by simply removing the commutative rules 
from MLL, that is we consider a new relation that is equal to the relation ~, 
given in Section 3.1, except for the omission of the commutative rules for the par 
and tensors. However, to have a coherent proof system, we need to substitute 
the equivalence rule with the a new one having the following form: 

[ I if A or H A EquivalenceN (EqN) 



In the commutative calculus, this reflexive formulation of the equivalence rule 
is not necessary. In fact, through commutativity, it is possible to derive each extra 
case given by the EquivalenceN rule by (at most three) consecutive applications 
of the Equivalence rule. Similarly to the Equivalence rule, the EquivalenceN rules 
can be seen as a compact way to represent a set of inference rules, namely the 
12 rules obtain by considering, in the both directions, the 6 schemata defining 
the relation ~n. 

We need to add also a mirror image version of the Switch rule: 



^[A ® {B>8C)] 
S[{A<»B)>^C] 



Switch Mirror (SwM) 



which is not present in the MLL since is there derivable through commutativity. 
Definition 2. >>,',■ - , >> i u • - • ' > i 

A i ‘ ,, , , A , . ‘ 'V . ’ NLS 



Our proof system is equivalent to multiplicative CyLL. 
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Theorem 1. ^ I^n ^ , i ^ i i ' , ■ ' 

, CyLL 

, In order to prove this theorem we consider the presentation of multiplica- 
tive CyLL given in [2]. We start by proving the left to right implication, that is, 
everything provable in our system is provable in multiplicative CyLL. The im- 
plication follows immediately from two properties of CyLL. The first one is that 
derivation is closed by positive context. That is, if S' is a positive context not 
containing negation, and the formulae S[A] and A^B are derivable, then also 
the formula S[B] is derivable. This fact can be proved in the following way. Let 
7T be a derivation, in multiplicative CyLL, for S[T], since U cannot examine the 
formula of A until the formula A appears as an element of a sequent, looking 
at derivations bottom-up-wise, the derivation 77 is “independent” from A un- 
til it builds a sequent containing the formula A. From the sequent ^{A), 

using the Cyclic rule it is then possible to derive a sequent <!>' ,A (having A as 
last formula) from which, by the Cut rule, one derives (P', B and, by the Cyclic 
rule, ^(77). From ^{B), by following the pattern in 77, one can finally derive 
S[77]. 

The second property is that for any rule 

S[77] 

contained in system NLS, the formula A^'SB is derivable in multiplicative CyLL. 
This fact can be checked straightforwardly. 

The other implication is also simple. First, we define a translation, _g, from 
sequents and sets of sequents, into formulae: 

A~l ; ■ ■ ■ , Ayu ^ = A^ f^ 

{ri,...,F„}^ = AsO-.-O^ks 

It is then easy to check that, any CyLL rule different from the Cycling rule is 
derivable, that is for any rule in the form: 

b A . . . b A 
bZ\ , 

from the formula {A, • ■ • > A}g, using the rules in NLS, it is possible to derive 
the formula ,^ 5 . 

Finally, we prove that the Cycling rule is admissible. The Cycling rule has 
form 

AT „ 

Cycling 

Its admissibility in system NLS can be express in the following way: if b A>^B 
then b B^A. The proof works as follows: 
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j Empty 

Interaction 



B^B 



^ EquivalenceN 



B>S{l'SiB) 

: Hypothesis 

B^{{A^B)(^B) 

7 - — ; Switch 

B^{A^{B®B)) 

Cut 



B^{A^A) 

B^A 



EquivalenceN 



□ 



4.1 Cut Elimination 

A fundamental feature of every logical system is the cut-elimination property, 
which can also be proved for NLS. If we consider the different logics so far 
presented in the CoS, [9,7,8,10] and we compare, for these logics, the proofs 
of cut-elimination in the sequent calculus, and in the CoS, normally we have 
that the latter proofs are lengthier. This fact can be explained by remarking 
that, in its complete formulation, the CoS gives more freedom in constructing 
derivations. It follows that derivations can be quite an anarchic object, and the 
standard proof technique of structural induction on the complexity of derivations 
is more difficult to use. A standard technique, for proving cut elimination in the 
CoS, is to use of the so-called splitting lemma [7] . The splitting lemma states that 
one can consider just derivations of a particular shape, i.e. a particular subset 
of derivations is sufficient to derive any provable judgment. We think that the 
splitting lemma is applicable also to this case, however here we prefer to use a 
different proof technique. There are two reasons for this choice. The first one is 
that when we conceive our proof, the splitting lemma was not discovered yet. 
The second reason is that our proof enlighten some interesting aspect of the 
CoS, namely the admissibility of some instances of the Equivalence rules. The 
main idea in our proof is to use formulae instead of structures. Once this choice 
has been made, the cut elimination proof is obtained by standard techniques. 
In more detail, we define a restricted calculus with a minimal set of derivations 
rules. We then prove that all the omitted rules are admissible in the minimal 
calculus. As immediate consequence, since the cut rule is an omitted one, we 
have a proof cut elimination. Since we need to show the admissibility of the 
omitted rules by taking each rule at a time our proof of is quite lengthy also if 
the single steps, and the general structure, are quite simple. 

As a first step, we need to present a restricted calculus having a minimal set 
of rules. To motivate this restricted calculus we need to introduce the concept 
of duality between rules. Given of a rule S 
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the dual of S is the rule 



For example the rule Interaction is dual to the rule Cut and Switch, Switch 
Mirror are dual to themselves. It is also easy to observe that from any rule S 
it is possible to derive its dual, using the Interaction, the Switch, and the Cut 
rules. In the following, we are going to prove that for any pair of dual rules one 
of them can be eliminated. Duality between rules is a standard concept in the 
CoS, and it also standard result the fact that for each each pair of dual rules 
one of them can be eliminated. What makes our approach different from the 
previous ones is the fact that we have an explicit rule for equivalence and that 
we apply the notion of duality also to it. In particular, as we already remark, 
EquivalenceN rule is a compact way of expressing a set of rules: a rule saying 
that par is associative, another saying that par is commutative etc. Considering 
this underlying set of rules, one can observe that it contains pairs of dual rules. 
For example the rule stating associativity of par is dual to the rule stating 
associativity of times, the rule for the introduction of the times unit is dual to 
the rule for the elimination of the par unit, and so on. In the restricted calculus, 
we insert just one single instance for each pair of dual rules. In doing so we 
depart from the main stream of the CoS; not only we make the application of 
the equivalence rule explicit but in the restricted system we do not allow the 
application of some equivalences. In particular we show that the rules stating the 
associativity of times are admissible. With this aim, we define a restricted version 
of the Equivalence rule. This restricted version of the Equivalence considers a 
new relation, on formulae. 



Definition 3. ^ 

(A^B)^C A^{B^C) 

A>S{B>SC) {A>SB)>SC 
±>^A A 
A>'S’± A 
1(g) A A 

A g 1 A 



S[B] 



B A 



( ) 



Moreover, it is useful to consider a restricted version of the Interaction rule. 
In fact, it is possible to reduce the Interaction rule to its atomic version. We call 
Atomic Interaction the Interaction rule restricted to atomic formulae. 



^[ 1 ]_ 

S[A^A] 



with A atomic formula 



Atomic Interaction 
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Definition 4. >> i' i ■ NLSr ^ > , 

K ^ , , - ' ' ‘ ^ \ NLSr 

We aim to prove that system NLSr is equivalent to the NLS. In particular, we 
will prove that all the rules in NLS are admissible in NLSr- The proof proceeds 
by several steps, each step proving the admissibility of one missing rule. 

Lemma 1. , - . , NLSr , ' . , , 

^ ' -S'.,',. S[i], NLSr / ' S[A>^A] 

, By induction on the complexity of the formula A. If is a unit, then the 
thesis follows from the Restricted Equivalence rule. In the case where A is an 
atom, the thesis follows from the Atomic Interaction rule. In the case where A 
is in the form A' 0 A" we have the following chain of implications: 

hr S'[l] (by inductive hypothesis) 

hr S[A'^A'\ ^ (by Restricted Equivalence rule) 

hr <S'[(A' (g) 1)'S’A'] (by inductive hypothesis) 

hr (g) {A''^A”))^A'] (by Switch Mirror rule) 

hr <S'[((A' (g) A")^A")^A'\ (by Restricted Equivalence rule) 

hr S[{A' (g) A")>S>(A">S>A')]. 

The case where A is in the form A'^A", is perfectly equivalent (mirror image) 
to the previous one. □ 

Next, we prove admissibility of the Equivalence rule. The proof will be done 
by induction on the structures of the derivation. To make the induction working, 
we need to take a stronger, and more involved, inductive hypothesis. A prelimi- 
nary definition and a lemma are here necessary. We start by defining new classes 
of contexts. 

Definition 5. ( ) left context, Ti_ ^ ^ , r , r r , , 

Ti ::= o I A>STi | A (g) T/ 

I '. . , right context, Tr ^ ^ , r r , , 

Tr ::= o I Tr^A | (g) A 

( ) left par-context, V/, , - , . ' , r r , , 

Vi-.-.= o I AW/ 

, '. . , right par-context, W, , - , - . ' ^ . . 

Vr ::= o I W'S’A 

Lemma 2. ^ , , A, B,C , ^ ^ i S, , , ^ ^ i Vi , - 

Vr 
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(i) , h, G)C] , h, S[Vi[A<»{B<»C)]], , 

h, S[A^Vr[B^C]] , h, S[Vr[{A^B)^C]], 

(ii) , K^[^G>K-[1]] , h,S[Vr[A]], , ^ hS[Vi[l](^A] 

, ^rS[Vl[A]], 

(iii) 5[±>S>A] , h, S'[A] S[A>SA] , h, 5[A] 

^ ^ , All three points are proved by structural induction of the derivation A of 
the judgment in the premise. Here we present just the proof of point (i) which is 
the most involved one, having the larger number of cases to consider. The other 
points can be treated with perfectly similar arguments. For each point, the cases 
to consider concern the last rule, R, applied in the derivation A. The simple 
cases are the ones where R modifies the derived formula only inside one of the 
contexts S, Vj, Vr, or inside one of the formulae A, B, C: in these cases the thesis 
simply derives by inductive hypothesis and by an application of R. 

For the remaining cases, we schematically present each case by a pair of 
derivations, the one on left is the application of R considered, while the one 
on the right shows how the case can be treated, i.e. by, in case, applying the 
inductive hypothesis, and by the given derivation. 

(i.a) The rule R generates one of the formulae A, B, C. This can only happen 
if one of the formulae is a times unit. The case where A is generated is described 
and treated as follows: 

S[Vi[B]®C] 

: (Sw)* 

S[Vi[B]®C] S[Vi[B^C]] 

S[Vi[l(^ B] C] S[Vi[l(^ {B C)]] 

The cases where B or C are generated can be dealt in a similarl way. 

(i.b) The last rule i? is a Switch rule involving the context (Vj) and the 
formula {A® B). This interaction can occur in two forms, the first one is the 
case where Vi = V{[D^ o], and: 



S[VI[{D>8A) ®B]®C] 
S[V/[D>^{A®B)]®C] 



S[V/[{D>SA) ® {B ® C)]] 
S[V{[D>^{A®{B®C))]] 



(i.c) A second form of interaction between the context (V;) and the formula 
{A ® B), is given by case where Vi = ® Aj'S’o], and: 

S{V{[D®{{E>S{A®B))®C)]] 
S[Vi'[D®{E>s{A®B))]®C] ^ _ S{V/[D®{E>S{{A®B)®C))]] 

S[Vi'[{D®E)>siA®B)]®C] S[V{[{D ® A)>S>((A ® B) ® C)]] 
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(i.d) The context S interacts with the formula C, in this case S = S'[o>^D] 
and: 

S'[Vi[A(^ {B {C>SD))]] 

: SwM • SwM 

S'[Vi[{A(g){B(g)C))>SD]] 

S'[Vi[A O B] O (C>S>D)] ^ ; (REq)* 

S'[{Vi[A(g)B](g)C)>^D] S'[Vi[A(g){B(g)C)]>^D] 



(i.e) The context S interacts with the context Vi, in this case S = S'[D>^o] 
and the last inference rule is: 

S'[{D>SVi[A<^B])<^C] 

S'[D>s{Vi[A^B]^C)] 

for this case, it is sufficient to simply apply the inductive hypothesis. 

(i.f) Finally we need to consider the interaction between the context S and 
the formula Vi[A 0 R] ® C, in this case S = S'[o^(D 0 E)] and: 

S'[{{Vi[A(»B](»C)>^D)(»E))] ^ S'[{Vi[A<»{B(»C)]>^D)<»E] 

S'[{Vi[A(g)B](g)C)>S{D(g)E)] S'[{Vi[A(g) {B (g) C)]>S{D (g) E)] 

The case where S = S'[{D (g) E)>^o] is equally easy. □ 

Notice that as a special case of point (i) and (ii) of the above lemma we have 
that 

(i) if hr S'[(^ (g) R) (g) C] then hr (g) (R (g> C)], and symmetrically if hr S'[A (g) 
{B 0 C)] then hr >5'[(A 0 B) 0 C], 

(ii) if hr S'[A 0 1] then hr S'[A], and symmetrically, if hr 0 A] then hr S'[^], 
it follows: 

Proposition 2 . , ^ > i - ■ 1 1 - > , NLSr 

Next we proof the admissibility of the atomic cuts, also for this case the proof 
is done by induction on the structures of the derivation, and also for this case 
to make the induction working, we need to take a stronger, and more involved, 
inductive hypothesis. The following lemma implies the admissibility of atomic 
cuts. 

Lemma 3. ^ ^ ^ , a, , , ' S , , , ^ ^ i Ti ^ ^ ^ ^ i T^, , 

h,S[Ti[a]0Trm]( ^rS[Ti[i]0Tr[a]]) / k 5[T,[T]W[T]] 

, The proof is by structural induction on the derivation A of hr 5'[Ti[a] 0 
Tr.[a]], and it is quite similar to the proof of Lemma 2. The different cases 
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considered by the structural induction can be split in two groups. The simple 
cases are the ones where the last rule R in A works internally to one of the 
contexts S,Ti,Tr; in all these cases the thesis follows by inductive hypothesis 
and by an application of the rule R. The other cases are the ones where the 
rule R modifies more than one context, or generates one of the atoms a, a. 
In detail: 

(a) an Atomic Interaction rule generates one of the atoms. This case can be 
described and treated as follows: 



5[raa](g)r;[i]] 

^[Tja] (g) T^\a^a]] 



5[Ti[T>S>a] G) r;[T 
: (REq- 

5[(Ti[T]>S>a)G)r;[l]] 



REq 

SwM) 

Sw 



5[Ti[T]>S>(a(g)T;[l])] 

: (EqN + SwM) 
5[Ti[T]>S>r;[(aG)l])] 



S[Ti[±]>STM] 

S[Ti[l.]>ST^[A>9a]] 



EqN 

REq 



* 



* 



One should remark that the one of the right is not a true derivation in NLSr, 
in fact the EquivalenceN rule is just admissible in NLS,-. The right diagram 
should be interpreted as a schematic proof that the formula S\Ti[\.\‘8T^[l.'^a\\ 
is derivable in NLSr. 

(b) a Switch rule makes the contexts S and T interact. This case can be 
described and treated as follows: S = S"[A'S’o] and 



S'[{A>STi[a])^Tr[a]] ^ 5'[(A>S>T,[T])>S>T,[T]] 

5'[A>S>(r,[a]or,[a])] S'[A>9{Ti[l.]>STr[l.])] 



It remains to consider the cases where the context S interacts with the 
whole formula 7] [a] (g) Tr[a], where the contexts T/ interact with formula a 
and where the contexts interact with formula a. All these cases are 
immediate. □ 

Lemma 4. ^ ^ , ^LSr, , , ,, , ' , A, 

I S',, hr (g) A] \ hr S[T] 

, This lemma can be seen as a sort of dual of Lemma 1 By structural 
induction on the formula A. If A is a unit then the thesis follows from the 
admissibility of the EquivalenceN rule. 

In the case where A is an atom, the thesis follows from the previous lemma 
and from the admissibility of the EquivalenceN rule. 
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The case where A is in the form A!^A!' can be treated as follows: 

S[{A'^A”) (g) (A" (g) IT)] 

^ EqN 

S[{{A'>^A'') (g) A") (g) A'] 

S[{A'>^{A” (g) A^)) (g) ~A'] 

: Inductive hypothesis 

S[A' ® A’] 

: Inductive hypothesis 

^[T] 

Note that the above is not a true derivation but just a schematic proof of 
the derivability of 5'[_L]. The case where A is in the form A! (g) A!' is perfectly 
equivalent to this one. □ 

Having proved that all the rules in NLS are admissible in NLSr we can finally 
state: 

Proposition 3. ^ , A ^ A A 

That is, the restricted system NLSr is as powerful as the complete one NLS 
and from this we have: 

Theorem 2. r , NLS ^ ^ ^ ^ ^ 



5 Further Works 

A natural question to consider is whether the above treatment for the multi- 
plicative cycling logic can be extended to richer logics. In particular, one should 
consider the complete system of the cycling linear logic [2] and the multiplicative 
non-commutative logic of Abrusci and Ruet [5] . The complete cyclic linear logic 
extend the multiplicative part, considered here, by adding the missing linear 
logic connectives. While the multiplicative non-commutative logic contains both 
commutative and non-commutative multiplicative connectives. 

Without giving any proof we claim that the first extension can be carried 
out quite smoothly; it is sufficient to consider the presentation of LL in the CoS 
given in [10] and modify it by removing the commutativity rules. In this way 
we obtain a proof system for cyclic linear logic. In this system cut elimination 
can be proved using the technique presented in this article, with the only extra 
difficulty of using a more complex induction to deal with the exponential and 
additive connectives. In fact these connectives can multiply the occurrences of a 
formula in the premises. 

The treatment of the multiplicative non-commutative linear logic [5] is still an 
open problem. We remark that it is possible to formulate, in the CoS, all the rules 
of the non-commutative logic, given, in the sequent calculus formulation, in [6]. 
However this presentation will be an obvious and uninteresting result. In this way 
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deep inference will not play any role. A more interesting application of the CoS 
in this setting would be a proof that the Seesaw rule (the non commutative logic 
equivalent to the Cycling rule) can be substituted by deep inference. However so 
far we were not able to find a nice formulation for the non-commutative logic, in 
the CoS. Our difficulties can be explained by the fact that deep inference alone, 
in the non-commutative calculus, is not able to reduce the Interaction rule to 
the Atomic Interaction rule, and dually Cut to and atomic form of cut. These 
reductions are possible instead in the other logics and are a key ingredient in 
the cut elimination proofs. 
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Abstract. In this paper we present a theory of proof nets for full mul- 
tiplicative linear logic, including the two units. It naturally extends the 
well-known theory of unit-free multiplicative proof nets. A linking is no 
longer a set of axiom links but a tree in which the axiom links are sub- 
trees. These trees will be identified according to an equivalence relation 
based on a simple form of graph rewriting. We show the standard results 
of sequentialization and strong normalization of cut elimination. Fur- 
thermore, the identifications enforced on proofs are such that the proof 
nets, as they are presented here, form the arrows of the free (symmetric) 
^-autonomous category. 



1 Introduction 

For a long time formal logicians have been aware of the need to determine, given 
a formal system S and two proofs of a formula A in that system, when these two 
proofs are “the same” proof. As a matter of fact this was already a concern of 
Hilbert when he was preparing his famous lecture in 1900 [Thi03]. This problem 
has taken more importance during the last few years, because many logical 
systems permit a close correspondence between proofs and programs. 

In a formalism like the sequent calculus (and to a lesser degree, natural de- 
duction), it is oftentimes very easy to see that two derivations tti and tt 2 should 
be identified because tti can be transformed in to 7T2 by a sequence of rule per- 
mutations that are obviously trivial. It is less immediately clear ^ ^ , what 

transformations can be effected on a proof without changing its essence. But here 
category theory is very helpful, providing criteria for the identification of proofs 
that are simple, general and unambiguous, if sometimes too strong [Gir91]. 

The advent of linear logic marked a significant advance in that quest. In 
particular the multiplicative fragment of linear logic comes equipped with an 
extremely successful theory of proof identification: not only do we know exactly 
when two sequent proofs should be identified (the allowed rule permutations are 
described in [Laf95]), but there is a class of simple formal objects that precisely 
represent these equivalence classes of sequent proofs. These objects are called 
proof nets, and they have a strong geometric character, corresponding to addi- 
tional graph structure (“axiom links”) on the syntactical forest of the sequent. 
More precisely, given a sequent F = Ai, . . . , A„ and a proof tt of that sequent, 
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then the proof net that represents tt is simply given by the syntactical forest 
of r decorated with additional edges (shown in thick lines) that represent the 
identity axioms that appeared in the proof: 




Moreover proof nets are vindicated by category theory, since the category 
of two-formula sequents and proof nets is precisely the free ^-autonomous cate- 
gory [Bar79] (without units) on the set of generating atomic formulas [Blu93]. As 
a matter of fact axiom links were already visible, under the name of 

, in the early work [KL71] that tried to describe free autonomous 

categories; Girard’s key insights [Gir87] here were in noticing that there was an 
inherent symmetry that could be formalized through a negation (thus the move 
from autonomous to *-autonomous) , and that the addition of the axiom links to 
the sequent’s syntactic forest were enough to completely characterize the proof. 

The theory of proof nets has been extended to larger fragments of linear logic; 
when judged from the point of view of their ability to identify proofs that should 
be identified, these extensions can be shown to have varying degrees of success. 
One of these extensions, which complies particularly well with the categorical 
ideal, is the inclusion of additive connectives presented in [HvG03], in which the 
additives correspond exactly to categorical product and coproduct. 

In this paper we give a theory of proof nets for the full multiplicative frag- 
ment. That is, our theory of proof nets includes the multiplicative units. We 
prove that it allows us to construct the free ^-autonomous category with units 
on a given set of generating objects, thus getting full validation from the cate- 
gorical imperative. 

There are only two other presentations for multiplicative units that we are 
aware of. In [K099], the authors provide an internal language for autonomous 
and *-autonomous categories based on the A^-calculus, and in [BGST96], a non- 
standard version of two-sided proof nets for a weaker logic is developed from 
which the authors also claim to have constructed free ^-autonomous categories. 
Our approach is different in the following way: By making full use of the symme- 
try given by the combination of an involutive negation and a one-sided sequent 
calculus, we get a notion of proof net which is considerably simpler than the one 
provided in [BGST96]. 



The Main Problem 

We assume that the reader is familiar with the sequent calculus for classical 
multiplicative linear logic. 

The theory of ^-autonomous categories tells us that whenever a proof contains 
a rule instance r which appears after a T-introduction rule and which does 
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Fig. 1. Different representations of the same proof 



not introduce a connective under that _L, then r can be pushed above that _L- 
introduction without changing the proof: 



r 

_L,r 






r 



_L- 



r' 



This seemingly trivial permutation actually has deep consequences. Suppos- 
ing that rule r was a (E>-introduction, there is now a choice of two branches on 
which to do the _L-introduction. 



_L ^ 

_L, r,A B,A 

<8> 

±,r,A^B,A 



r,A B,A 

<K) 

r,A®B,A 

_L — ^ ^ 

A,r,A® B,A 



BA 



_L- 



B,A 

±,B,A 



A,r,A^B.A 



Ordinary proof nets for multiplicative linear logic are characterized by the 
presence of, ^ ^ , which connect the atoms of the syntactical forest of the sequent. 
When extending them to multiplicative units, the first impulse is probably to try 
to attach the _Ls that are present on the sequent forest on other atomic formulas. 
This is what is done in [BCST96] and corresponds, in the sequent calculus, to 
doing the T-introductions as early as possible, that is, as high up on the sequent 
tree as can be done. The paragraph above shows that an arbitrary choice has to 
be made because of tensor introductions: in a (g)-intro one branch of the sequent 
proof tree or the other has to be chosen for doing the T-intro. In such a situation 
correct identification of proofs can only be achieved by considering equivalence 
classes of graphs, and the theory of proof nets involves an equivalence relation 
on a set of “correct” graphs. 
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Another possibility is to attach these _Ls “as low as possible” on the forest, 
corresponding to the idea that in the sequent calculus deduction the _L-intro 
would be done as late as possible, for example just before the _L instance gets 
a connective introduced under it. One way of implementing this is linking the 
_L instance to the last connective that was introduced above it. This is not the 
only way of doing things, for example we could imagine links that attach that 
_L instance to several subformulas of the sequent forest, corresponding to the 
several conclusions of the sequent that existed above the _L-introduction. 

But whatever way we choose to “normalize” proofs, we claim that if the 
conventional notion of “link” is used for _Ls (i.e., if we consider a proof tt on the 
sequent F as the sequent forest of F decorated with special edges that encode 
information about the essence of tt) we still need to use equivalence classes of 
such graphs, and there is no hope of having a normal form in that universe of 
enriched sequent graphs. For instance, the six graphs in Figure 1 are easily seen 
to represent equivalent proofs, because going from an odd-numbered example 
to its successor is just sliding a _L-intro up in one of the (g)-intro branches, and 
going from an even-numbered example to its successor is just doing the reverse 
transformation. But notice that examples (3) and (5) are . ^ ^ , , , . , 

graphs, since one can be exactly superposed on the other . , ^ ^ ^ ^ , 

I , , . Thus it is impossible, given the information at our disposal, to 

choose one instead of the other to represent the abstract proof they both denote. 
The only way this could be done would be by using arbitrary extra information, 
like the order of the formulas in the sequent, a strategy that only replaces the 
overdeterminism of the sequent calculus by another kind of overdeterminism. 

The same can be said of Examples (2) and (6), which are also isomorphic 
modulo Exchange. But notice that these two comply to the “as early as possible” 
strategy, while the previous two were of the “as late as possible” kind. So for 
neither strategy can there be a hope a graphical normal form. The interested 
reader can verify that the six examples above are part of a “ring” of 24 graphs 
that are all equivalent from the point of view of category theory. 

Thus there is one aspect of our work that does not differ from [BCST96], 
which is our presentation of abstract proofs as equivalence classes of graphs. 
But some related aspects are significantly different: 

— The graphs that belong to our equivalence classes are ^ ^ . . , , , 

, where the usual notions, like correctness criteria and the empire 
of a tensor branch, will apply. It is just that some 'S’ and (g) links are used 
in a particular fashion to deal with the units. (The readers can choose their 
favorite correctness criterion since they are all equivalent; in this paper we 
will use the one of [DR89] because of its popularity.) 

— The equivalence relation we will present is based on a very simple set of 
rewriting rules on proof graphs. As a matter of fact, there is only ^ ^ non- 
trivial rule, since the other rules have to do with commutativity and associa- 
tivity of the connectives and can be dispensed with if we use, for example, 
n-ary connectives. 
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Fig. 2. Two examples of proof graphs 



2 Cut Free Proof Nets for MLL 

Let A = {a, 6, ... } be an arbitrary set of atoms, and let = {a-*-, b^,. . 
The set of MLL,^ , ^ , is defined as follows: 

T :■.= A\A^ . 

Additionally, we will define the set of MLL , , (which can be seen as a 

special kind of formulas) as follows: 

£::=l|a(g)a'*‘|a'*‘(K)a|_L(K)£|£(K)_L|£'S’/l . 

Here, a stands for any element of A. We will use A, B, . . . to denote formulas, 
and P, Q, . . . to denote linkings. . ^ ^ (denoted by T, Z\, . . . ) are finite lists 

of formulas (separated by comma). 

In the following, we will always consider both formulas and linkings as binary 
trees (and sequents as forests), whose leaves are decorated by elements of A U 
A^ U {1, _L}, and whose inner nodes are decorated by 'S’ or (g). We can also think 
of the nodes being decorated by the whole subformula above that node. 

2.1 Definition. A , , is a graph consisting of a linking P and 

a sequent P, both of which share the same set of leaves. It will be denoted as 
P\> P. 

Following the tradition, we will draw these graphs such that the roots of 
the formula trees are at the bottom, the root of the linking tree is at the top, 
and the leaves are in between. Figure 2 shows two examples. The first of them 
corresponds to the first graph in Figure 1. A more compact notation for this is 

(li (g) u) ^ ((u Ts) ^ I 7 ))) 

V 

ll, J-2 ® J- 3 , I 4 , ±5 (g) Te, I 7 
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and 

J-i ((I2 ® -I-4) ’S’((as 0 a^) 'S’(og (g) 07))) 

V 

J-i, I 2 'S’ag, ±4 0 ((a^ 0 Og ) 'S’ ar) 

Here, the indices are used to show how the leaves of the linking and the 
leaves of the sequent are identified. In this way we will, throughout this paper, 
use indices on atoms to distinguish between different occurrences of the same 
atom (i.e. 03 and a-j do not denote different atoms). In the same way, indices on 
the units I and _L are used to distinguish different occurrences. 

2.2 Definition. A . of a pre-proof graph P [> A is a graph G that 

is obtained from P [> P by omitting for each ’S’-node one of the two edges that 
connect the node to its children. [DR89] 



2.3 Definition. A pre-proof graph P [> P is called ^ if all its switch- 
ings are connected and acyclic. A , , . r is a correct pre-proof graph. 

The examples in Figure 2 are proof graphs. 

Let P [> P be a pre-proof graph where one _L is selected. Let it be indexed 
as _Lj. Now, let G be a switching of P [> P, and let G' be the graph obtained 
from G by removing the edge between _Lj and its parent in P (which is always 
a (g)). Then G' is called an 1 . . , of P [> P with respect to J-i. 

Observe that, if P [> P is correct, then every extended switching is a graph that 
has exactly two connected components. 

We will use the notation P{Q} [> P to distinguish the subtree Q of the 
linking tree of the graph. Then P{ } is the context of Q. 

2.4 Equivalence on Pre-proof Graphs. On the set of pre-proof graphs 
we will define the relation ~ to be the smallest equivalence relation satisfying 



P{g>S>P} [> P 
P{(Q’S>P)’S’S'} > P 
P{Q 0R}> P 
P{T* O (goTj)} [> P 



P{P’S>Q} > p 
P{Q’S>(P’S’S')} [> p 
P{R0Q} > P 
P{(TiOQ)OT,)} >P 



P{Q>8{R0±i)} > P 



~ P{{Q^R)0J-^)}> P 



where the last equation only holds if the following side condition is fulfilled: 

(*) In each extended switching of P{Q’^{R0 Ti)} [> P with respect to J-i no 
node of the subtree Q is connected to ±i. 

The following proof graph is equivalent to the second one in Figure 2: 

(((Ti (g) I2) (?) T4) ’S’(o 3 (g) a^)) 0 ar) 

V 

Ti, I2 ’S’ 03, ±4 (g) ((a^ (g) Og ) ’S’ ay) . 




On Proof Nets for Multiplicative Linear Logic with Units 



151 



Pt>r,A,B,A 

id ^ ex 

a® \> a,r P \> F,B,A,A 

P\> P 

1 _L 

i[>i _L®Pi>_L,r 

^P\>A,B,P ^Pt>P,A Qt>B,A 

^Pt>A>^B,r P>^Q r> P,AiS> B, A 

Fig. 3. Translation of cut free sequent calculus proofs into pre-proof graphs 

2.5 Definition. A ^ ^ ^ is an equivalence class [P [> P]r^. A pre- 

proof net is ^ if one of its elements is correct. In this case it is called a 

In the following, we will for a given proof graph P t> P write [P t> P] 
to denote the proof net formed by its equivalence class (i.e. we will omit the 
~ subscript). 

2.6 Lemma. , P \> P ^ ^ ^ ^ P \> P ^ P' [> P _ ^ P' \> P ^ 

Proof: That the first four equations preserve correctness is obvious. If in the 
last equation there is a switching that makes one side disconnected, then it also 
makes the other side disconnected. For acyclicity, we have to check whether there 
is a switching that produces a cycle on the right-hand side of the equation and 
not on the left-hand side. This is only possible if the cycle contains some nodes 
of Q and the But this case is ruled out by the side condition (*). □ 

Lemma 2.6 ensures that the notion of proof net is well-defined, in the sense 
that all its members are proof graphs, i.e. correct. 

3 Sequentialization 

Figure 3 shows how cut free sequent proofs of MLL can be inductively translated 
into pre-proof graphs. 

We will call a pre-proof net ^ ^ , if one of its representatives can 

be obtained from a sequent calculus proof via this translation. 

3-1 Theorem. ^ ^ ^ ^ ^ , , , , , . , 

For the proof we will need the observation that any proof graph is an ordinary 
unit-free proof net, and the well-known fact that there is always a splitting tensor 
in such a net. 

3.2 Observation Every proof graph P > P is an ordinary unit-free proof 
net in the style of [DR89]. To make this precise, define for the linking P the 
^ , P* inductively as follows: 

What we call pre-proof net is in the literature often called proof structure. 



1 
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a-L* = a 1* = _L {A^ B)* = A* ® B* 

a* = a^ _L* = 1 {A^B)* = A*^B* ' 

In other words, P* is obtained from P by replacing each leaf by its dual and 
by leaving all inner nodes unchanged. We now connect the leaves of P* and P by 
ordinary axiom links according to the leaf identification in P t> P. If we forget 
the fact that _L and I are the units and think of them as ordinary dual atoms, 
then we have an ordinary unit-free proof net^. 

3.3 Lemma. , , . , 

■ , , ^ [Gir87]‘ 

Proof of Theorem 3.1 (Sketch): It is easy to see that the rules 1 and id give 
proof graphs and that the rules -L, 'S’, and ® preserve the correctness. Therefore 
every sequentializable pre-proof net is correct. 

For the other direction pick one representative P \> P oi the proof net and 
proceed by induction on the sum of the number of (K)-nodes in the graph and the 
number of ’S’-nodes in T. We now interpret P t> P as an ordinary unit-free proof 
net (according to Observation 3.2), and remove all ’S’-roots (for those inside P 
apply the ’S’ rule and proceed by induction hypothesis). Then apply Lemma 3.3. 
If the splitting ® is inside T, we can apply the (K)-rule and proceed by induction 
hypothesis; if it is inside P, it must come from an axiom link or a bottom link. 
In both cases we can obtain two smaller proof graphs, to which we can apply 
the induction hypothesis to get two sequent proofs, which can be composed by 
plugging one into a leaf of the other. □ 



4 Cut and Cut Elimination 

A is a formula A © A-^ , where © is called the , and where the 

function (—)■'■ is defined on formulas as follows (with a little abuse of notation): 

a-L-L = a 1-L = © (A © B)-L = A-L ’S’ B-L 

a-L = a-L ©-L = 1 (A’S’B)-L = A^ ©B-L ' 

A is a sequent where some of the formulas are cuts. But 

cuts are not allowed to occur inside formulas, i.e. all ©-nodes are roots. A 

, . is a pre-proof graph P t> P, where P may contain cuts. 

The ©-nodes have the same geometric behavior as the ©-nodes. Therefore the 
correctness criterion stays literally the same, and we can define , , . ^ , 

and , , . , , I accordingly. In the translation from sequent proofs 

containing the cut rule into pre-proof graphs with cuts, the cut is treated as 
follows: 

P,A A-^,A Pt>P,A Q\>A^, A 

cut cut ; . 

P,A P^Q \> P,A(D A^,A 



^ If T consists of only one formula, then we have an object which is in [BC99] called 
a bipartite proof net. In fact, two proof graphs (in our sense) are equivalent if and 
only if the two linkings (seen as formulas) are isomorphic (in the sense of [BC99]). 
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Fig. 4. Cut elimination reduction steps 



Since the © behaves in the same way as the ©, we immediately have the 
generalization of the sequentialization: 

4.1 Theorem. , 



On the set of cut pre-proof graphs we can define the cut reduction relation 
as follows: 



P 

V 



P 

V 



© (A-L © S-L),r A(D A-^,B (D B^,p 



P{(a^ © Oj) © Ofe)} P{aiJ:©afc} 

V ^ V 

tti(D af,P P 

P{(g©©,)'S>lj} P{Q} 

V ^ V 

±,(Dij,r r 



These reduction steps are shown in graphical notation in Figure 4. 

4.2 Lemma. , P [> P ^ ^ _ P [> T ^ P' [> T' ^ P' \> P' 



Proof: It is impossible that a cut reduction step introduces a cycle in a switching 
or makes it disconnected. □ 
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Observe that it can happen that in a proof graph no reduction is possible, 
although there are cuts present in the sequent. For example, in 




the cut cannot be reduced. 

In a given proof graph P \> F, & ©-node that can be reduced will be called 
. . . Obviously, a cut on a ©-'S’-pair is always ready, but for a cut on atoms or 
units this is not necessarily the case, as the example above shows. However, we 
have the following theorem: 

4.3 Theorem. , , - ' P t> P ^ ® ; 

, , , , . . P'> P.‘‘ ® , , ' , ‘ - 

This is an immediate consequence of the following two lemmas. 

4.4 Lemma. ^ P[>ai®aj',P 

, , ,, P'{(a^ © Oj) © Ofc)} [> © © aj-, P 

4.5 Lemma. ^ , , , > ' P [> ©i © lj,P ^ ^ ^ ^ ^ ^ 

, , , P'{(Q©©i)'S>lj}'[> ©■© lj,P ' ‘ 

For proving them, we will use the following three lemmas. 

4.6 Lemma. P{(©fe © Pja;,}) 'S’(5'{a;^} © ©?i)} [> © ccj-, P , 

' ^11 ' ' I ■ I I ■ I - I - > 

, > , ,, ,■ P{©fc © (P{a;i}'S’(5'{xj-} © ©h))} > a;* © , - 

P{((©fc © P{xi}) 'S’ S'{xj-}) © ©?i} [> Xi © xj-, P , ^ 

4.7 Lemma. P{(©fe©P{xi}) ’S’(xj-©<5)} [> Xi®xj-, P , 

^ , , ' ' , ■ , I ■ I - I - > 

^ P{©fc © (P{xi} ’S’(xj- © Q))} [> Xi © xj-,P ^ ^ 

4.8 Lemma. P{(©fc © P{xi}) ’S’ xj-} [> Xi©xj-,P. . 

^ P{©fc © (P{xi} ’S’x^)} [> Xi © xj-, P , ,, , 

Proof of Lemma 4.4 (Sketch): Since the proof graph is correct, the linking 
P must be of the shape P" {R{aj^ © Ui} ’S’ <S'{aj- © Ofc}} for some contexts P"{ }, 
R{ } and S{ }. The contexts R{ } and S'! } can be reduced to { } by applying 
Lemma 4.6 and Lemma 4.7 repeatedly. 

Proof of Lemma 4.5 (Sketch): Similar to Lemma 4 . 4 , but in this case we 
also need Lemma 4 . 8 . 

Let us now extend the relation ^ to proof nets as follows: [P [> P] ^ [Q [> Z\] 
if an only if there are proof graphs P' \> P and Q' \> A such that 

P>P~P'[>P^g'[>Z\~Q[>Z\ . 




On Proof Nets for Multiplicative Linear Logic with Units 



155 



4.9 Lemma. 

[Pt> r]^ [p' t> p'] [p” t> p”] ^ • 

Proof: In each reduction step the size of the sequent (i.e. the number of 'S’, (g) 
and ©-nodes) is reduced. □ 

4.10 Lemma. P[>r~P'[>P P [> P ^ Q [> A _ 

p' [> g' [> z\ , . , , , /, , . 

Qt> A Q' t> A 

Proof: Easy case analysis. □ 

4.11 Lemma. ,g>Z\^P[>P^P[>i7 ^ Q [> A = R[> S, 

^ ^ , r S \> <P ^ Q\>A^S\><P^R\>E 

4.12 Lemma. ^ [Q [> A] ^ [P [> P] ^ [R [> E]_ ^ [Q \> A] = 

[P>L'],, [Qt> A]^‘[S E] 

Proof (Sketch): Let ®i denote the cut that is reduced in P to obtain A and 
©2 the one that is reduced to obtain E. The basic idea is to apply Theorem 4.3 
in order to make both cuts ready at the same time and then apply Lemma 4.11 
and Lemma 4.10. There is essentially only one case in which it is not possible to 
make both cuts ready at the same time, namely, when they use the same axiom 
link. In other words, P [> P is of the following shape: 

P'{{P"{a-t ©} 'S’ P"'{af © Ofc}) ’S’ P""{a-t © a^}} 

V 

© ©1 af,ak ©2 

But whatever order of reduction is used, in both cases we get something of 
the shape S"{a^ © Om} > □ 

4.13 Theorem. , , ^ ^ ^ ^ , , , , ■ , , , , , , ' 

Proof: Termination is provided by Lemma 4.9 and confluence follows from 
Lemma 4.12. That the normal form is cut free is ensured by Theorem 4.3. □ 

5 ^-Autonomy 

For any formula A, we can provide an identity proof net id^ = [I a > A-^^A\, 
where I a is called the . ^ ^ ^ ^ , which is defined inductively on A as follows: 

la = la = a © a-*- 

I± = h = T © 1 

Ia>s B = Ia®b = I a^ I b 

Observe that we can have that I a = I a because changing the order of the 
arguments of a © or ’S’ in the linking of a proof graph does not change the proof 
net (see 2.4). 

Furthermore, for any two proof nets / = [P [> A-^, B] and g = [Q > P^, C], 
we can define their composition (/ o / to be the result of the cut elimination 
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procedure to [P’^Q l> A-^,B(DB-^,C]. That this is well-defined and associative 
follows almost immediately from the strong normalization of cut elimination. We 
also have that / o id^i = / = id^ o /. 

This gives rise to a category PN (^) whose objects are the MLL formulas built 
over A U U {T, 1}, and whose arrows are the proof nets. More precisely, the 
arrows between two objects A and B are the (cut-free) proof nets [P [> A-^, B], 
The operation (g) on formulas can be extended to a bifunctor (g) : PN(M) x 
PN(M) ^ PN(M) by defining for two arrows / = [P [> A^,B] and g = \Q \> 
C*-*- , D] the arrow f ® g = [P^ Q ^ A-^ 'S’ C-*- ,B(^D], It can easily be seen that 
this bifunctor makes our category symmetric monoidal (with unit 1): The basic 
natural isomorphisms demanded by the definition (associativity, right unit, left 
unit, symmetry) are 

aA,B,c = [Ia ’S’ Is ’S’ /c > ’S’(P-^ ’S’ C-^), (A (g) P) (g) C] 

PA = [±^ Ia> A-L’S’T,A] 

Aa = [T«)/a > T’S’A-L,^] 

fJA,B = [Ia ’S’ Is > A-L ’S’ P-L, P (g) 

It is easy to check these are indeed proof nets, that a, p. A, and a are natural 
isomorphisms for all formulas A, P, and C, and that the corresponding diagrams 
(see [BW99]) commute. 

Furthermore, we can exhibit the (contravariant) duality functor (—)■*■ whose 
object function has already been defined. For an arrow / = [P [> A-^, B] : A ^ B 
let /■*■ = [P [> B,A^] : B^ A-^. This determines a symmetric *-autonomous 
category structure [Bar79, BW99]. In particular, we define the bifunctor — ’S’ — 
as A ’S’ P = {A-^ (g) P'*')'*- and its unit object as T = !■'■. The last thing to check 
is that we have the natural bijection 

Hom(yl (g) P, C) = Hom(A, B^ ’S’ C) 

[P> A^^B^,C]^[P> A-^,B^^C] . 

6 The Free *- Autonomous Category 

In this section we will show that the category of proof nets is the free symmetric 
*-autonomous category. Let A be a set and let 77 ^ : Al — > Obj(PN(Al)) be the 
function that maps every element of A to itself seen as atomic formula. To say 
that PN(A) is the, * 

6.1 Theorem. ^ i’ * (C) lc> (“)■*■) , - , ' 

G° ■. A^ Obj(C), ' ' " ‘ ^ PN(A) ^ C, 

* . , ' ' G° ='obj(G)op^, Obj(G) , 

G, , , 

The remainder of this section is devoted to a sketch the proof of this theorem. 
For this we will introduce the following notation. 



® For simplicity we assume that for every object G of C we have = C. This can 
be relaxed to a natural isomorphism by standard trickery. 
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Let I be an index set. A . ^ , of I is given by a total order I = 

{ii, . . . ,Zfc} and a binary tree structure whose set of leaves is I, such that the 
order is respected. We will denote bracketings of I also by I . The whole point 
of this is, given an /-indexed family (C'i)ig/ of objects of C, that we can write 
0 , . . . , Cij, } to denote the object of C that is obtained by applying the func- 

tor — ® — according to the bracketing I. By a standard theorem of symmetric 
monoidal categories, any two objects obtained from different bracketings of the 
same set have a unique “coherence” isomorphism between them. Notice that this 
will involve the symmetry only if the order differs on the bracketings. Similarly, 
. . . , Cij,} is defined. For empty /, let 000 = Ic and ^00 = J_c = Ic • 
The purpose of this notation is to state the following property of *-autonomous 
categories. 

6.2 Proposition. C * ' C\, . . . ,Cn 

, , , , , C /, J C n}, b/ = {!,..., n} \I , . Cj = 

J ' i[j,ZI,ZJ 

, Homc(0,{C'^ |zG/}, I*gC/}) 

, . Home ( ®j{Ct I z G J} , ^^j{Ci I z G C J} ) 

Proof: The proof is done by repeatedly applying the associativity and commu- 
tativity of the two functors — ® — and — 'S’ — , the natural isomorphisms for the 
units, and the natural bijection Home (A ® C) = Home (A, C), which is 

imposed by the *-autonomous structure. □ 

Let now the *-autonomous category C and the embedding G° : A ^ Obj(C) 
be given. We will exhibit the functor G : PN(A) ^ C which has the desired 
properties. On the objects, this functor is uniquely determined as follows: 

G{a) = G°{a) G(T) = ±e G{A>8 B) = G{A)>8 G{B) 

G{a^) = G°[a)^ G(l) = le G{A® B) = G{A) ® G{B) 

There is no other choice since the objects Ic and Tc in C, as well as the 
functors (—)"*■, —<?>—, and — ’S’ — are uniquely determined by the *-autonomous 
structure on C. 

For defining G on the morphisms, the situation is not as simple. We will first 
ignore the fact that the units are units and interpret a proof graph (with cuts) 
P [> F as an ordinary unit-free proof net with conclusions Aq, . . . , A„, i?i © 
Pj*-, . . . , Bm © Pm) where Aq = P* (see Observation 3.2), Ai, . . . , A„ are the 
formulas in P that are not cuts, and Pi © B ^, . . . , Pm © P^ are the cuts in P. 
To each such object we will uniquely assign a family of morphisms 

0,{G(A,)^ I * e /} ^ ^C/{G(A.) I i G C/} 

indexed by the bracketings on the subsets / C {0, . . . , rz} and their complements. 
Proposition 6.2 ensures that every member of such a family of morphisms de- 
termines the others uniquely. The construction is done by induction on the size 
of the proof graph, using Lemma 3.3. (In fact, it is quite similar to the sequen- 
tialization.) 

Observe that in particular this construction gives us for each proof graph 
P [> A-*-,P a unique arrow V’pi>a ,b ■ G(P*)'*“ — > G(A-*-) ’S’ G(P). Further- 
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more, observe that for every linking P, the object G{P*)'^ in C is isomor- 
phic to {G(a) 'S’ G(a)'*'}, where o (g) a-*~ ranges over the axiom links in 

P. This means that the *-autonomous structure on C uniquely determines a 
morphism (j)p : Ic ^ G{P*)^. This can be composed with tpp^A ,b to get 
?[Pi>A ,B] ■ Ic ^ G{A^)>^ G{B). That this is well-defined, is ensured by the 
following lemma (in which we no longer ignore the fact that the units are units) . 

6.3 Lemma. , Qt>A-^,Br^Pt>A-^,B, ^ ,s] = ?[Qi>a ,b] 

Consequently, to each proof net f = [P l> A-^ ,B], we can uniquely assign the 
arrow G(/) : G{A) G{B) that is determined by ^[p^a ,b] via Proposition 6.2. 

It remains to show that G : PN(.4) ^ C is indeed a functor (i.e. identities 
and composition are preserved) . That for each formula A, the proof [I a > A ^ , A] 
is mapped to identity id : G{A) G{A) is an easy induction on the structure 
of A and left to the reader. The preservation of composition is ensured by the 



following lemma. 








6.4 Lemma. 


T [> P ^ S > A 


, , - ' S' [> /\ , 




. , . T [> T . , 


f f , 


; 1 / C[Tl>r] , 


- ?[5l>Zi] 


^ r‘( ^ 


,. lc^^{G{A,),.. 

,, , 


■ ) G{An)} , Ai, . 


■ • ; -^n 



It might be worth mentioning, that Theorem 6.1 provides a decision proce- 
dure for the equality of morphisms in the free symmetric *-autonomous category, 
which is in our opinion simpler than the ones provided in [BCST96] and [K099] . 



7 Conclusion 

We think we made a convincing case for the the cleanest approach yet to proof 
nets with the multiplicative units. There is always the possibility that another 
“ideology” than category theory will arise and will tell us to identify sequent 
proofs in a different way, perhaps collapsing fewer proofs, and help us construct 
more rigid proof objects. But we doubt very much that such a thing exists, given 
that the permutation rules that category theory imposes on the sequent calculus 
are so natural and so hard to weaken. 

There are some issues that are left open and that we want to explore in the 
future: 

— The relation with the new proof formalism called the calculus of structures 
[GS01,BT01]. We should mention that the idea behind our approach origi- 
nates from the new viewpoints that are given by the calculus of structures. 

— The addition of additives to our theory. This should not be very hard, given 
the work done in [HvG03] . The true challenge is to include also the additive 
units. 

~ The development of a theory of proof nets for classical logic. The problem is 
finding the right extension of the axioms of a *-autonomous category, such 
that on the one hand classical proofs are identified in a natural way, and on 
the other hand there is no collapse into a boolean algebra. 
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— The search for meaningful invariants. It is very probable that the equivalence 
classes of graphs we define have a geometric meaning, and can be related 
to more abstract invariants like those given by homological algebra. We are 
convinced that the work in in [Met94] is only the tip of the iceberg. 
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Abstract. To reason effectively about programs, it is important to have some 
version of a transitive-closure operator so that we can describe such notions as 
the set of nodes reachable from a program’s variables. On the other hand, with a 
few notable exceptions, adding transitive closure to even very tame logics makes 
them undecidable. 

In this paper, we explore the boundary between decidability and undecidability 
for transitive-closure logics. Rabin proved that the monadic second-order theory 
of trees is decidable, although the complexity of the decision procedure is not 
elementary. If we go beyond trees, however, undecidability comes immediately. 

We have identified a rather weak language called 3V (DTC^ [E ] ) that goes be- 
yond trees, includes a version of transitive closure, and is decidable. We show that 
satisfiability of 3V(DTC'*'[i3]) is NEXPTIME complete. We furthermore show 
that essentially any reasonable extension of 3V(DTC^[i3]) is undecidable. 

Our main contribution is to demonstrate these sharp divisions between de- 
cidable and undecidable. We also compare the complexity and expressibility 
of 3V(DTC^[i?]) with related decidable languages including MSO(trees) and 
guarded fixed point logics. 

We mention possible applications to systems some of us are building that use 
decidable logics to reason about programs. 



1 Introduction 

To reason effectively about programs, it is important to have some version of a transitive- 
closure operator so that we can describe such notions as the set of nodes reachable from a 
program’s variables. On the other hand, with a few notable exceptions, adding transitive 
closure to even very tame logics makes them undecidable. 

In this paper, we explore the boundary between decidability and undecidability for 
transitive-closure logics. Rabin [13] proved that the monadic second-order theory of 
trees is decidable, although the complexity of the decision procedure is not elementary. 
If we go heyond trees, however, undecidability comes immediately. 
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Modal logics and their extension to the /r. calculus have proved quite useful.The /i cal- 
culus has an EXPTIME-complete satishability problem [3] and the same has been shown 
true even for the more expressive guarded fixed-point logic, as long as the vocabulary 
remains of bounded arity [6]. Guarded fixed-point logic can express reachability from a 
specific constant, or from some point of a specihc color, and it can restrict this reachability 
to be along paths specihed, for example, by a regular expression. What it cannot express 
is a reachability relation between a pair of variables, i.e., that there is a path from u to v. 

We have identified a rather weak language, called 3V(DTC'''[£^]), that goes beyond 
trees, includes a version of the latter sort of transitive closure, and is decidable. We show 
that satishability of 3V(DTC'^ [i3]) is NEXPTIME complete. We furthermore show that 
essentially any reasonable extension of 3V(DTC+ [i?]) is undecidable. 

The main contribution of this paper is to demonstrate the above sharp divisions 
between decidable and undecidable. We also compare the complexity and expressibility 
of 3V(DTC^ [i?]) with related decidable languages, including MSO(trees) and guarded 
hxed-point logics. 

The main application we have in mind is for the static-analysis methods that we are 
pursuing. Very generally, we model the properties of an inhnite set of data structures that 
can be generated by the program we are analyzing, using a bounded set of hrst-order, 
three-valued structures [14]. In [15], it is shown that this modeling can be improved so 
that it computes the most precise possible transformation summarizing each program 
step, through the use of decidable logics. 

Eurthermore, in [9] we show that we can use a method we call “structure simulation” 
to significantly extend the sets of data structures that we can model with decidable logics 
over trees (monadic second-order logic) or graphs (3V(DTC’^[i?])). In the latter case, 
transitive-closure information must be restricted to deterministic paths. 

The advantage of 3V(DTC“'" [i3]) compared with MSO(trees) is that while the latter 
is usually much more expressive, we can go beyond trees in the former. As an example, 
to express reachability in dynamic, undirected graphs, as in [2], we need not only a 
spanning forest, but a record of all the remaining edges in the undirected graph [9] . 

Eig. 1 summarizes results concerning the decidability and complexity of satishability 
for relevant logics. All the languages will be dehned precisely in the next two sections. 
Eor previously known results we include a reference, and for results new to this paper 
we include the number of the relevant theorem. 



Decidable 


Complexity 


Citation 


H calculus 


EXPTIME complete 


[3] 


Guarded Eixed Point 


EXPTIME complete 


[6] 


MSO(trees) 


non-elementary 


[13] 


EC? 


NEXPTIME complete 


[11,4] 


3V 


S 2 complete 


[1] 


3V(TC-) 


S 2 complete 


Prop 2 


3V(DTC+[£^j) 


NEXPTIME complete 


Th4, 5 


3V(TC,/) 


NEXPTIME complete 


Cor 6 



Undecidable 


Citation 


EO''(TC) 


[5] 


EO^(DTC) 


[5] 


V(TC+[£^]) 


Cor 9 


V(DTC+) 


Th8 


v(dtc-[e;]) 


Th 13 



Fig. 1. Summary of the decidability and complexity, and the undecidability of the logics we study. 
The arity of all relation symbols is bounded. The results are the same for V and 3V, and they are 
the same for the satisfiability and finite-satisfiability problems 






162 



N. Immerman et al. 



2 Background and Tiling 

As we have mentioned, being able to express reachability is crucial for our applications. 
However, adding a transitive-closure operator tends to make even very tame logics un- 
decidable. We use [ip] to denote the reflexive, transitive closure of binary relation 

(p(u, u') [8]. Note: In this paper, we confine our attention to applications of TC[(/?] for 
which Lp is quantifier-free and TC-free. Furthermore, we assume throughout that the arity 
of all relation symbols is bounded.' 

For example, consider the simple, decidable logic FO^. This is first-order logic re- 
stricted to having only two variables, x^y. Gradel et al. [5] prove that if we add the 
transitive-closure operator (TC) to FO^ then the resulting logic is undecidable. In fact, 
they prove that even FO^(DTC) is undecidable. Here DTC — deterministic transitive 
closure — is the restriction of transitive closure to paths that have no choices. For the 
binary relation E{x, y), define E,i{x, y) as follows: 

Ed{x, y) = E{x, y) A 'iz{E{x, z) ^ z = y) . 

That is, if vertex v has more than one outgoing f?-edge, then it has no outgoing 
Fid-edges. Then define DTC as follows: DTC[Fi] = TC[Ea]. 

It is surprising that FO^ (DTC) is undecidable, but the proof is that even this seemingly 
very weak language is strong enough to express tilings. 

Definition 1. Define a tiling problem, T = (T, i?, D), to consist of a finite list of 
tile types, T = [to, .. . tk], together with horizontal and vertical adjacency relations, 
R, D C T^. Here R{a, b) means that tiles of type b fit immediately to the right of tiles 
of type a, and D(a, b) means that tiles of type bfit one step down from those of type a. A 
solution to a tiling problem is an arrangement of instances of the tiles in a rectangular 
grid such that a to tile occurs in the top left position, and a tk tile occurs in the bottom 
right position, and all adjacency relationships are respected. 

Given a Turing machine, M, and an input, w, we can build a tiling problem, T, of 
size 0{\M\ + liul), such that T has a solution iff M on input w eventually halts. Here 
any correct tiling solution would represent an accepting computation of M on input w. 
Think of to as representing the initial state and tk as representing the final accepting 
state. Thus, as is well known, any logic that can express tilings has undecidable finite 
satisfiability - and general satisfiability - problems. 

(Standard definitions of tiling problems only require to at the top left, and do not also 
ask for tk at the lower right. This minor change does not affect the undecidability and 
complexity results, but makes some of our constructions slightly simpler.) See [1] for a 
nice treatment of tiling problems, as well as discussions of many relevant decidable and 
undecidable logics. 



3 Decidability of 3V(DTC+ [E ] ) 

We start with the first-order logic 3V, consisting of first-order formulas in prenex form 
with all existential quantifiers preceding all universal quantifiers. The vocabulary has 



* For our intended applications, arity 2 is sufficient and arity 3 is a luxury. In theory, an unbounded 
arity can significantly increase some of the complexity bounds. 
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no function symbols. It is well known and easy to see that the satisfiability problem for 
3V is decidable: Let ip G 3V. Form the Skolemization, (ps, by replacing the existential 
quantifiers, 3a;i, . . . , by new constants, ci, . . . , c^. Suppose A\= ps- Let C be the 
substructure of A whose universe consists of the constant symbols appearing in ps- 
Since ps is universal, we have that C \= ps- Thus, p has a model iff it has a small 
model, i.e., one of size less than |<p|. We say that 3V has the small-model property, in this 
case with models of at most linear size. To test if a universal formula, ps, is satisfiable, 
we would guess a structure, A, of size at most n = |v3s| and then check that A ^ ps- 
Testing whether a given structure satisfies an input universal first-order formula is co- 
NP complete. Thus satisfiability of 3V formulas is in, and in fact complete for, , the 
second-level of the polynomial-time hierarchy. 

Since the existential quantifiers in 3V formulas can be eliminated by adding constanfs, 
we limif our discussion to universal formulas. Let V(DTC) consist of universal formulas 
in which DTC may occur. Unfortunately, as we will see, satisfiability of V(DTC) and 
V(TC) are undecidable (Theorem 8). 

It is the positive occurrences of TC that cause the satisfiability of V(TC) to be un- 
decidable. Let 3V(TC“) consist of formulas in prenex form in which TC only occurs 
negatively. 

Proposition 2. Satisfiability and finite satisfiability o/3V(TC~ ) are decidable with com- 
plexity complete for 

Proof: The above argument for 3V continues to work. \i p G 3V(TC”) is satisfiable, 
lef A\= Ps, where ps is the Skolemization of p. As above, let C be the substructure of 
A whose universe consists of the constant symbols appearing in ps- Then C \= ps 
because if a path did not exist in A then it still does not exist in C. (Recall that we 
only apply TC to quantiher-free formulas.) Furthermore, we can test in polynomial 
time whether such a path exists in C. Thus, the complexity of satisfiability remains 
complete. □ 

Definition 3. Define 3V(DTC~''[i3]) to be the restriction o/3V(DTC) in which the lan- 
guage has only one binary relation symbol, E, (plus unary relation symbols and con- 
stants), and all applications of DTC are positive occurrences of the form DTC[i3]. In 
addition, we include in 3V(DTC~'"[f3]) arbitrary negative occurrences of TC[p] for p 
quantifier-free.^ However, it is very important that there are no negative occurrences 
of DTC, /or otherwise the language would become undecidable (Theorem 13). 



Theorem 4. 3V(DTC'’[i3]) has the small-model property, with models of size at most 
), where n is the size of the formula. Thus, satisfiability and finite satisfiability of 
3V(DTC’^[f3]) are decidable, with complexity at most NEXPTIME. 

Proof: Using Skolemization, it suffices to prove these results for V(DTC[i3]). Let p G 
V(DTC[U]) be satisfiable and let A\= p. We will show that there exists a model B \= p 
such that ||,8|| < 2*^^" f Here ||,8|| denotes the cardinality of the universe of the structure 
B, and n = \p\. 



^ A more accurate name for 3V(DTC^[i?]) would really be 3V(DTC^[i5],TC“), but this is a 
mouthful, and all bounds remain the same whether or not the negative occurrences of TC are 
allowed. 
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Let Cl . . . Cfc be the constants occurring in ip. For each pair of constants, Ci, Cj, such 
that A \= DTC Cj), there is a unique path pij from Ci to Cj in A. Let A! be the 
substructure of A whose universe consists of the constants, plus all vertices that lie on 
any of the paths pij . 

We claim that A' ^ <p. To see this, first observe that for any two elements o, h of the 
universe of A' we have 



(The proof of Theorem 12 exploits the fact that the converse need not hold.) Since a and 
b occur on paths pij, if A\=^ DTC[f?](a, b) then the path from a to 6 must be along the 
paths Pij. Thus ^ DTC[£'](a, b) holds as well. 

Since A! is a substructure of A and is a universal formula with only positive 
occurrences of DTC, it follows from Equation (1) that Al ^ p. (Note that the neg- 
ative occurrences of TC[<p] with p quantifier-free do not cause problems: since A! is 
a substructure of A it follows that if ^ ^ ^TC[:p](a, b), then A' j= ^TC[(/ 3 ](a, b) as 
well.) 

Structure A! consists of a set of “trees” directed from leaf to root, all of whose leaves 
and roots are constants; however, ( 1 ) some of the “trees” may end in a cycle rather than 
a root; and (2) multiple edges may occur from some of the roots to other vertices. Note 
that if there is more than one edge from vertex v, then v does not occur on any DTC 
path, except perhaps as the last vertex. For this reason, if there are multiple edges in 
A from constant Ci, then we can remove all such edges and replace them by a new 
unary relation symbol Qi true of all the vertices that had edges from Ci ; as long as we 
modify p accordingly. (In particular, we would change all occurrences of “E{x, y)” to 
“E{x,y) V {x = Ci A Qi{y))”.) Because we can eliminate issue (2), we henceforth 
assume that the graph A! has outdegree at most one. 

Note that some of the paths, Pij,Pi j may intersect. If so, for simplicity we identify 
the first point of intersection for each pair of paths as a new constant. Observe that there 
are a total of at most k — 1 such new constant symbols. Thus from now on we will only 
consider direct paths Pij containing no intermediate constants. See Fig. 2 for an example 
graph where constants C 7 , cg, and cg have been added. 



Fig. 2. Example A' from proof of Theorem 4 after constants cr,cs, cg have been added 

After these normalization steps. A! consists of k' constants and at most k' direct 
paths, Pij, where k' < 2k — 1. Let r be the number of unary relation symbols, and 
m be the number of (universal) quantifiers in p. We claim that no direct path pij need 
have length greater than 2’’™ + m + 1. Suppose on the contrary that the length of pi 2 
is greater than 2’’"* + m + 1 . Let the color of a vertex be the set of unary relation 



A h DTC[L;](a, b) => A' 'A DTC[L;](a, b) 



(1) 



c 
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symbols that it satisfies. There are 2’' possible colors and 2 ™ possible m-tuples of 
colors; consequently there must be at least two identically colored consecutive m-tuples, 
Ui, . . . , Um, and , Vm, in the interior of pi2- (By “consecutive” we mean the m- 

tuple is a path.) Form the structure B from A! by deleting vertices U2 through v\ and 
adding an edge from ui to V2- 

We claim that B ^ tp.lt suffices to show that for any m-tuple of vertices from B, 
bi, 62, . . . , bm, there is a corresponding, isomorphic^ m-tuple from A' , oi, 02, . . . , am- 
Note that every vertex in B is in A' , and furthermore, the only difference between B and 
A' concerning these vertices is that E{ui,V2) holds in B but not in A' . 

If any bi is not on the path pi2, then we let Oi be the identical vertex in A! . We may 
thus confine our attention to the most difficult case, namely, that bi,b2, ■ ■ ■ ,bm are all 
in the path pi2- Assume for simplicity that they occur in order. Our only problem is if 
for some £, bi = ui and bi+i = V2- In this case, we let at = bt for t < i, but we let 
0^+1 = M2. Similarly, if = UiforalHG {2 , . . . s}, then wemustleta^+i_i = Ui. 

Consider the first gap (if any), i.e., bi and are not consecutive. We have that bi = 
and Ui = Uz, for some z. We can let ay = bj for j > i, see Fig. 3. Note that we have 
replaced some Vi’s by Ui’s but all unary relations, edge relations and connectivity have 
been preserved. Thus, as desired, ai, 02, . . . , am is isomorphic to 61, &2, • ■ • , ^m- 



-(!)— 
«r" a, 






® c 



1 




bp- b, 
-(!)— 



( 2 )- 





■(3). 



(2) 



Vj- 

bi+l 



.(4). 









Fig. 3. Illustration of how for every m-tuple of vertices bi, ... ,bm from B there is a corresponding 
isomorphic m-tuple of vertices ai, . . . , am from A . In region (2) of B, bi, ■■■ Ai are assigned 
consecutive vertices; similarly, in region (2) of A' , ai, . . . ,at are assigned consecutive vertices. 
Because bi and bi+i are separated by two or more E edges in region (3) of B (i.e., there a “gap”), 
the assignments for Ui+i , . . . , am in region (4) of A can match those for , . . . , in region 
(4) of B exactly 



Thus S 1= as desired. We can continue shortening any remaining paths of length 
greater than 2’'"* -|- m -h 1. It follows that there is a model B of p and ||i?|| < {2k — 
1) (2’'"* -h m -h 1) <2l^l", as desired. □ 

It follows from Theorem 4 that the satisfiability of 3V(DTC^[i?]) formulas can be 
checked in NEXPTIME. We next show that this cannot be improved. 

Theorem 5. The satisfiability of 3\/{DTC'^ [E]) formulas is NEXPTIME-complete. 



^ More explicitly, we mean that the map taking each hi to at is an isomorphism of the induced 
substructures of B and A generated hy b^, . ■ ■ Am and ai, . . . , am, respectively. This may 
be thought of as an Ehrenfeucht-Fraisse game in which the spoiler chooses the bi’s and the 
duplicator answers with the ai’s [8]. 
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Proof: Let T be a tiling problem as in Definition 1 , and let n be a natural number. It is 
an NEXPTIME-complete problem to test on input (T, 1”) whether there is a T -tiling 
of a square grid of size 2" by 2” [12]. 

We will define a formula (pn that expresses exactly a solution to this tiling problem. 
There will be two constants: s, denoting the cell in the upper-left corner, and t, denoting 
the cell in the lower-right corner. The desired model will consist of 2^" tiles: 

s = [1, 1 , to]--- [1, 2", t]; [2, 1 , t']--- [2, 2", t"]; - - - [2", 1, t'"] - - - [2", 2", = t 

The binary relation E will hold between each pair of consecutive tiles, including, for 
example, [1, 2", f] and [2, 1, t']. We will include the following unary relation symbols: 
Hi, .. . Hn, indicating the horizontal position as an n-bit number; Vi, . . .Vn, indicating 
the vertical position; and Tg, . . . T^, indicating the tile type. 

The formula is the conjunction of the following assertions: 

n n 

1. To(s) A /\{^H,{s) A ^Vi{s)) A Tfc(f) A /\{H,{t) AV,{t)) 

i:=l 

2. Vx /\ ^{Ti{x)AT^{x)) 

0<i<j<k 

3. Vx,i/((Suc„(a;,y) ^ Vert(a;,y)) A {Such{x,y) —> Uor{x,y))) 

4. DTC[i?](s,f) A Vx,y(E(x,y) ^ Next(x,y)) 

Here (1) says that s is the first tile, has tile type to, and t is the last tile and has tile 
type tk- We have chosen for simplicity to encode the tile types in unary so we need (2), 
which says that tile types are mutually exclusive. 

Conjunct (3) says that the arrangement of tiles honors T’s adjacency requirements. 
The abbreviation Such(x,y) means that x and y have the same vertical position and 
y’s horizontal position is one more than that of x. Suc„(a;, y) means that x and y have 
the same horizontal position and y’s vertical position is one more than that of x. The 
abbreviations Hor(x, y) and Vert(a;, y) are disjunctions over the tile types asserting that 
the tiles in positions x and y are horizontally, respectively vertically, compatible; for 
example, 

Hor(x,y) = V {T,{x)AT,{y)) (2) 

Finally, (4) says that there is a path from s to t. The abbreviation Next(a;, y) means 
Suc?i(a;, y) or x has horizontal position 2", y has horizontal position 1, and y’s vertical 
position is one more than that of x. □ 

The formula described in the above proof can be written in length 0{n) using only 
two variables. When satisfiable, it has a minimal model of size 2^^"). In Corollary 16 
we extend the above argument, showing that the 2'^^" '> bound of Theorem 4 is in fact 
optimal. For this we need a variant of the above ipn that uses n variables. 



4 Logics with One Function Symbol 

We next discuss the language V(TC,/), which consists of universal first-order logic 
with a transitive-closure operator and one unary function symbol, plus arbitrary unary 
relation symbols and constants. This is closely related to the language 3V(DTC'’'[iil]). 
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One important difference is that in V(/) we may write a formula that has only infinite 
models."^ 

It is well known that the satisfiability and finite-satisfiability problems for monadic 
second-order logic with a single unary function symbol are decidable,^ although their 
complexities are not elementary, even when restricted to first-order quantification [10, 
13,1,7]. 

It is not hard to modify the proofs of Theorems 4 and 5 to apply to V(TC, /). (For 
functions, the implication of Equation (1) is a biimplication, and thus the result goes 
through for positive and negative DTC’s.) 

Corollary 6. The finite satisfiability problem for \/{TC, /) is NEXPTIME completed 

Proof: If a formula p G V(TC, /) has a finite model A, then it must have a model of the 
form A! as in the proof of Theorem 4. The only difference is that since / must be a total 
function, there are no roots; that is, all trees end in cycles. The size of the smallest model 
is still 2*^^" 1. The difference in counting is slight, namely, applications of the function 
symbol / can extend the apparent number of constant symbols: /(cj) behaves like a new 
constant symbol c', and /(x) behaves like a new universally quantified variable y, such 
that E{ci, c'f) and E{x, y), respectively, must hold. Thus, the proof of Theorems 4 and 
5 go through if we replace k and m by qk and qm, respectively, where q is the number 
of occurrences of f inp. □ 



5 Undecidability of Related Logics 

We next show that most reasonable extensions of the language 3V(DTC''' [77] ) can express 
the solution to tiling problems, and thus are undecidable. In this section we show that any 
of the following changes cause undecidability: the use of TC; the presence of more than 
one binary relation symbol; or a single positive use of DTC[cr], where a is quantifier- 
free. In the next section, we show that V(DTC“[77]) is undecidable. To begin, we first 
show 

Theorem 7. Satisfiability and finite satisfiability o/V(DTC'’[y], DTC~''[77]) — univer- 
sal logic with two binary relations, V and El, and their positive deterministic transitive 
closure — are undecidable. 

Proof: Let T be a tiling problem (Definition 1). We show how to write a formula 
p G V(DTC"''[U], DTC^[77]) such that p is satisfiable iff T has a solution. 

Formula p contains four constant symbols, a,b,c, and d, representing the four corners 
of the solution to T ; see Fig. 4. 

We assert that every element satisfies exactly one of the tile relations, Tq, . . . , T^. 
We assert To(a) A Tj^{d), i.e., the upper left tile is and the lower right is tk- We assert 



For example: Vx, y{c f f{x) A (/(®) = f{y) ^x = y)). 

^ This is equivalent to the MSO theory of trees with multiple successor functions. 

® This holds as well for the general satisfiability problem. For infinite structures there is a similar 
“small model” except that from some constants there is an infinite chain that intersects no other 
vertices of the structure. The infinite chain must repeat an m-tuple of colors and can from 
thereafter repeat exactly. Thus it has a representation of size \ 
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Last 




Fig. 4. A tiling as expressed in Theorem 7 

that H and V paths exist between the four corners: DTC[iJ](a, b) A DTC[iT](c, d) A 
DTC[TA](a, c) A DTC[1A](6, d). 

We add a unary predicate, Last, and assert the conjunction of the universal closure 
of the following formulas: Last{b), ~'V(x,b), V{x,y) (Last{x) Last{y)), and 
(H{x,y) f\~V{x,y)) ^Laxt(a;). These assure that Lax? is true exactly of the tiles in 
the rightmost column. In this column, we make the H -edges go down along the V -edges, 
i.e., Last{x) A Last{y) — > {H [x, y) ^ V {x, y)). This allows us to express the fact that 
iT-edges continue all the way to the right in every row, i.e., we assert: VxDTC[iT] {x, d). 

We assert that H and V edges satisfy the corresponding horizontal and vertical 
tiling constraints, using the formulas Hor and Vert as in Equation (2). \/x, y{{H{x, y) A 
~^Last{x) Hor(x, y)) f\{V (x, y) — > Vert(x, y))). 

We assert that the intermediate rows are filled in: Vx, y, x' , y' {{H {x, y) AV{x, x') A 
y{y,y')) H{x',y')). 

Finally, we assert that the columns are filled in and line up: Vs, y, x' , y' [{^Last{x) A 
H{x,y) AV{x,x') A H{x' ,y')) V{y,y')). 

It is not hard to see that the conjunction of the above assertions is equivalent to 
the existence of a solution to the tiling problem, T. Thus satisfiability of V(DTC'*'[IA], 
DTC"*'[iT]) is undecidable. □ 

Theorem 7 shows that a second binary relation over which we can take DTC causes 
undecidability. We can modify the proof to show that even if there is only one (positive) 
occurrence of DTC, the logic is still undecidable if a second binary relation is allowed, 
or if DTC is allowed to be taken not just over the relation E, but over a formula that also 
involves unary relation symbols. 

Theorems. Satisfiability and finite satisfiability of V(DTC^) are undecidable. This 
holds even if there is only one occurrence of DTC and only one binary relation symbol. 
Also, if there is a second binary relation symbol, then the single occurrence of DTC can 
be restricted to the form DTC [ill]. 

Proof: We modify the proof of Theorem 7 so that the path from a to d through the tiled 
rectangle is along a single snake-like path of the edge predicate, E, as in Fig. 5. 
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First Last 




Fig. 5. A tiling expressed with a single occurrence of DTC as in Theorem 8 



We do this by adding unary relation First denoting the first column of the tiling rect- 
angle, plus the relation R true of the tiles in the odd-number rows. We then make the 
i?-path go left-to-right on the rows satisfying R and right-to-left on the other rows. 

Define the edges along the snake-like path, a{x, y) = E{x, y) A {{R{x) R{y)) V 

{First{x) A ^R{x) A R{y)) V (Last{x) A R{x) A ^R{y))). 

The single use of DTC is the assertion DTC[cr] (a, d). We also assert the completion 
of squares (see Fig. 5), 

{E{x, y) A E{y, y') A E{y' , x') A {R{x) ^ R{y)) A {R{x') ^ R{y')) A {R{y) ^ 
~^R{y'))) E{x,x'). 

Finally, we add the following assertions, which together make sure that all models 
must be valid tilings: 

1. To (a) A Tfc(d) A First{a) A Last{d) A ^{First{x) A Last{x)) 

k 

2. \/R{x)h f\ ^{R{x) FT,{x)) 

2—0 0<Z<J<fc 

3. (E{x,y) A{R{x) <-> ~^R{y))) — *■ [{First{x) First{y)) A (Last{x) <-*■ Last{y))) 

4. E{x,y) ~^(^{R{x) AR{y) A{Last{x)\/ First{y)))\/ {^R{x) A^R{y) A{Last{y)\/ 
First{x)))^ 

5. {{E{x, y) A R{x) A R{y)) V {E{y, x) A ^R{x) A ^R{y))) Hor(x, y) 

6. (E{x,y) A {R{x) ^ -^R{y))) Wert{x,y) 

Again formulas Hor and Vert are as in Equation (2). The conjunction of the universal 
closure of all the above assertions thus asserts a solution to the tiling problem, T, as 
desired. To prove the last assertion in the statement of the theorem: with a second relation 
symbol, W, we can let E correspond to a, and W correspond to T A ^a. □ 
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We remark that if in the proof of Theorem 8 we reverse the edges that are not a edges, 
then we can use TC[iJ] in lieu of DTC[(t] and the proof goes through. Thus we have, 

Corollary 9. Satisfiability and finite satisfiability o/V(TC'’[i?]) are undecidable. This 
holds even if there is only a single occurrence ofTC (it occurs as TC[E]) and E is the 
only binary relation symbol. 

Note that the formulas in Theorems 7, 8 , and Corollary 9 use only two variables 
except in the completion-of-squares formula. In fact, using an extra occurrence of TC, 
we can write equivalent formulas with only two variables. We do this by reversing the 
vertical edges in the even columns. We then assert that each non-boundary edge, [x, y) 
is in an appropriate cycle, i.e., TC[E]{y, x) or DTC[ 7 ](y, x) holds, for appropriate 7 . 

Corollary 10. If we allow a second occurrence of a transitive-closure operator, the 
undecidability results of Theorems 7, 8, and Corollary 9 all remain true for the corre- 
sponding languages with only two variables. 



6 Undecidability of V(DTC- [E] ) 

We were quite surprised to find that although V(TC~) is decidable, V(DTC“ [S]) is not. 
We give the somewhat subtle proof in this section. First we show that V(DTC“ [E ] ) has 
an infinity axiom. 

Proposition 11. There is a sentence in V(DTC~[iil]) that is satisfiable, but only in an 
infinite model. 

Proof: The idea is that we know that if E{cq, ci) and ^DTC[iil](co, ci) both hold, then 
there must be another edge from cq. We can use this observation to write an infinity 
axiom that essentially expresses the existence of a successor function. We write the 
conjunction of the following formulas: 

1. Vu(u fci^ {E{v,ci) A -DTC[F;](v,ci))) 

2. \/vuiU 2 {v f c\ t\ E{u\,v) A E{u 2 , v) ^ u\ = U 2 ) 

3. Cq ^ Cl A \/v^E{v, Co) 

(1) says that every vertex besides Ci has an edge to ci but not a DTC path to ci, so it 
must have outdegree greater than 1 ; ( 2 ) says that every vertex besides ci has in-degree 
at most one; and (3) says that cq has in-degree 0. Thus, there must be an infinite chain 
of edges starting at cq. 

These formulas are satisfied by a model that contains the natural numbers plus a new 
point called ci, with edges E{n, Ci) and E{n, n 1), for n = 0, 1, . . .. □ 

Theorem 12. Satisfiability and finite satisfiability o/V(DTC[i?]) are undecidable. 

Proof: We take as our starting point the undecidability proof of Theorem 8 . Our new 
idea is to remove all of the non-boldface ill’s in Fig. 5 and to replace them by a gadget 
of new green vertices, satisfying the unary relation symbol, G, and associated edges. 
The existence of the green vertices and their associated edges will be implied by the 
“not DTC trick” introduced in the proof of Proposition 1 1 , together with some universal 
first-order statements that make sure that the vertical edges continue to be attached 
appropriately. 
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Just as in the proof of Theorem 8, we express the existence of a tiling. Since we have 
removed the non-boldface E’s, we can now simply express the path from the first tile to 
the last as DTC[£'](a, d). 




Fig. 6. Gadget used in Theorem 12 



To define the gadget, we add two new constants, b, for the top rightmost tile, and ci 
for the top rightmost green vertex, just below it. The green path proceeds in the opposite 
direction of the non-green, tile path directly above it, see Fig. 6. 

We make the following assertions. These all concern the green row below each R, 
i.e., right-going, row of tiles. For simplicity, we skip the analogous case below each 
left-going row of tiles. 

1. G(ci) A E{ci, b) A yux{E{ci,x) A G{x) A E{b, u) — > E{x, u)) 

2. Vx((^G(a;) ^ DTC[E]{x,d)) A {^G{x) ^ DTC[£^](o, a:))) 

3. yxyz{G{x) A E{x, y) A E{x, z) f\y ^ z ^ {G{y) ^G(z))) 

4. 'duvxyz(^-^G{u) A^G{v) AG{x) AG{y) AG{z) AR{u) AR{v) AE{v , u)AE{x, u)A 
E{x, y) A E{y, z) E{z, v)) 

5. yuvxyz(^G{u) A ~^G{v) A G{x) A G{y) A G{z) A ~^R{u) A ~^R{v) A E{u, v) A 
E{x, u) A E{x, y) A E{y, z) E{z, v)) 

6. Vm, V, X, y[-^G{u) A ~^G{v) A G{x) A G{y) A R{u) A ^R{v) A E{x, u) A E{x, y) A 
E{y, v) Vert(rt, v)) 

(1) starts us out by saying that ci is green, has an edge to b, and its green successor 
has an edge to the tile directly below b. (2) says that green vertices do not have DTC paths 
to d, but all non-green vertices do; it also says that all the non-green edges occur on the 
DTC-path from a to d. (3) says that if the outdegree of a green vertex is at least 2, then it 
has a green and a non-green successor. We will assure later, inductively, that each green 
vertex has an edge to a non-green vertex. Since the non-green vertex has a DTC-path to 
d, but the green vertex does not, this assures that the green vertex has outdegree 2. (4) is 
an inductive condition, which says that if x, y, and z are consecutive green nodes, and 
if X points up to a non-green node, it, then z points up to it’s predecessor, v. (5) is the 
similar condition for the edges going down. 

Finally, condition (6) asserts that these green gadgets transmit the vertical information 
between the non-green, i.e., tile, nodes as desired. □ 

Theorem 12 leaves open the question of the decidability of V(DTC“ [iJ]). It would 
seem that the positive use of DTC was crucial in the statement DTC[f?] (a, d) . Flowever, 
even this can be replaced by the “not DTC trick”. (The positive uses of DTC in formula (2) 
of the proof of Theorem 12 can easily be removed.) The conclusion is that V(DTC“ [i5] ) 
is undecidable. 
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Theorem 13. Satisfiability and finite satisfiability o/V(DTC [_E]) are undecidable. 

Proof: We modify the proof of Theorem 12 by removing the assertion DTC[f?] (a, d) and 
replacing it using the “not DTC trick”. More explicitly, we add another unary predicate B 
true of the tiles, and we add another constant, cq. Then we make the following additional 
assertions: 

1. B{a) A yx{B{x) A X d ^ E{x, cq) A ^DTC[iii](a:, cq)) 

2. yxy{B{x) Ay ^ Co A E{x, y) B{y)) 

3. The in-degree for i?-vertices from B-vertices is at most one, and it is zero for a. 

(1) and (2) together assert that each B-vertex besides d has an edge to another B- 
vertex. It follows that either DTC[£i](a, d) holds, or there is an infinite path. Thus, the 
formula is finitely satisfiable iff the corresponding tiling problem has a solution. (To 
show that the general satisfiability problem for V(DTC“ [f?]) is undecidable, we would 
modify the construction to assert that there is no node d, and thus an infinite path, so that 
the corresponding Turing machine, when started on blank tape, never halts. The tiling 
would have to be modified so that the first row has length one, and each successive row 
has one greater length. This is necessary so that an infinite path corresponds to an infinite 
computation rather than an infinitely long first row.) □ 



7 Complexity of the Decision Procedure 

In this section, we study the complexity of the decision procedure for 3V(DTC'*’[iii]). 
The first thing we do is look more carefully at the proof of Theorem 5, and show that 
our lower bound is tight, matching the 2*^^” '> upper bound of Theorem 4. 

Lemma 14. The formula ipn used in the proof of Theorem 5 may be written in length 
0{n). 

Proof: The only difficulty in keeping (p„ to total size 0{n) is in writing the formulas 
Suc/i (a;, y) and Suc„ (x,y). These are nearly identical and we will restrict our attention to 
Suc?i(a;, y). Recall that Suc/j(x, y) means that the horizontal position of y is one greater 
than the horizontal position of x. (Our convention is that the bit positions are numbered 1 
to n, with 1 being the high-order bit, and n the low-order bit.) Suc/i(a;, y) can be written 
as follows: 



S\xch{x,y) = \j'yi\{Hj{x) A^Hfiy)) A {^Hfix) A Hfiy)) 

i—1 j>i 

^ f\{Hj{x) ^ Hj(y)) 

j<i 

However, the length of the above formula is O(n^). We can decrease the size by 
keeping track of the position i in the above formula. We do this by adding 2n more 
unary relation symbols, Gj, Kj,l < j < n. The intuitive meaning of Kfix) is that it is 
bit i of the horizontal number that will be incremented as we go from x to its successor. 
This means that -^Hfix), and for all j > i, Hj{x)\ i.e., there is a “0” in position i, and 
a “1” in each position to the right of i. 
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The intuitive meaning of Gj{x) is that j > i where Ki{x). We also use the abbre- 
viation Lj{x) = ~^{Kj{x) V Gj{x)). (The mnemonic is that G holds for elements in 
positions “greater” than the K position; L holds for elements in “lesser” positions.) 

The advantage of having these new relations is that we can now reduce the length of 
Sucft,(a:, y) as follows: 



S\xch{x,y) = f\ A Hj{x) A ^Hj{y)) V {Kj{x) A ^Hj{x) A Hj{y)) 

j=i 

V {Lj{x) A{Hj{x) ^ Hj{y))) 

Finally, we must write down several more conditions. The conjunction of the follow- 
ing conditions assures that the new relations Gi and Ki are dehned correctly. 

1 . yx{Ki{x) V K2{x) V • • • V Kn{x) V (Hi{x) A H2{x) ■ ■ ■ Hn{x))) 

n—1 n—1 

2. Vx( A 

i=l 

n—1 n—1 

3. Vx( /\ m+i{x) ^ u{x)) A /\ (G,(x) ^ G,+i(x))) 

n 71 

4. Vx(/\ ^(Ki(x) A Gi(x)) A /\((Gi(x) ffi(x)) A (Ki(x) ^Hi(x)))) 

i=l i=l 



□ 

It follows from Lemma 14 and the proof of Theorem 5 that we can write a sequence 
of formulas (pn G BVjDTC”*" [E\),n = 1,2,... such that | <^„ | = 0{n),(pn has only two 
variables, and yet ipn’s smallest model is of size This is the best possible with 

only two variables. To match the 2'^^" '> upper bound of Theorem 4, we need a formula 
with n variables. 

2 

We can count up to 2" using a sequence of n consecutive vertices, each with a 
number between 1 and 2". We will add n more unary relation symbols, Gj, 1 < i < n. 
A tile will then be encoded by n vertices as follows: 



Gi,/li,Vi,f] [G2,/l2,V2,f] 

Gi,h'^,v[,t'] [G 2 ,h' 2 ,v' 2 ,t'] 



[Gn.h 

n 5 ^n ) ^ 

[G„,/i'„,<,G 



That is, the first n vertices hold tile t with its (collective) horizontal and vertical 
numbers {hi , . . . , /i„) and {vi, . . . , u„) having values between 1 and 2" , the next n 
vertices hold tile t' with the successor number, etc. Using very similar ideas to the proof 
of Lemma 14 we can prove. 

Lemma 15. Given any tiling problem, T, we can write a sequence of formulas <p>'^ of 
length 0{n), n = 1,2,..., such that ipn A satisfiable iff there is a solution to T that is 
a 2” by 2" square. 



Corollary 16. The 2*^(” ) upper bound of Theorem 4 is optimal. 
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8 Conclusions 

We have introduced the language 3V(DTC“'' \E]), which is a decidable transitive-closure 
logic that goes beyond trees. We have shown that all the reasonable extensions of 
3V(DTC”^[if]) that we could think of are undecidable. Uses of 3V(DTC"'’[i?]) exist, 
but how useful it might be remains to be seen. 

We showed that the satisfiability of 3V(DTC~'’[i?]) is NEXPTIME complete. The 
lower bound depended on a formula that describes an exponentially long sequence of 
colors. We suspect that in practice the formulas one encounters would have much, much 
shorter sequences of color types. We suspect that techniques related to Ehrenfeucht- 
Fraisse games can automatically find the relevant color sequences. These ideas might 
lead to a satisfiability algorithm that is feasible in practice. 
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Abstract. Locality notions in logic say that the truth value of a for- 
mula can be determined locally, by looking at the isomorphism type of a 
small neighborhood of its free variables. Such notions have proved to be 
useful in many applications. They all, however, refer to isomorphism of 
neighborhoods, which most local logics cannot test for. A more relaxed 
notion of locality says that the truth value of a formula is determined by 
what the logic itself can say about that small neighborhood. Or, since 
most logics are characterized by games, the truth value of a formula is 
determined by the type, with respect to a game, of that small neigh- 
borhood. Such game-based notions of locality can often be applied when 
traditional isomorphism-based locality cannot. 

Our goal is to study game-based notions of locality. We work with an 
abstract view of games that subsumes games for many logics. We look 
at three, progressively more complicated locality notions. The easiest 
requires only very mild conditions on the game and works for most logics 
of interest. The other notions, based on Hanf’s and Gaifman’s theorems, 
require more restrictions. We state those restrictions and give examples of 
logics that satisfy and fail the respective game-based notions of locality. 



1 Introduction 

Locality is a property of logics that finds its origins in the work by Hanf [13] 
and Gaifman [10], and that was shown to be very useful in the context of finite 
model theory. Locality is primarily used in two ways: for proving inexpressibility 
results, and for establishing normal forms for logical formulae. The former has 
led to new easy winning strategies in logical games [6,8,20], with applications 
in descriptive complexity (e.g., the study of monadic NP and its relatives [8], 
or circuit complexity classes [21]), in databases (e.g., establishing bounds on the 
expressiveness of aggregate queries [16], or on query rewriting in data integration 
and exchange [7, 1]), and in formal languages (e.g., in characterizing subclasses 
of star-free languages [27]). Local normal forms like those in [10,25] have found 
many applications as well, for example, in the design of low-complexity model- 
checking algorithms [9, 12, 26], in automata theory [25] and in computing weakest 
preconditions for database transactions [2]. 

There are two closely related ways of stating locality of logical formulae. One, 
originating in Hanf’s work [13], says that if two structures 21 and 25 realize the 
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same multiset of isomorphism types of neighborhoods of radius d, then they 
agree on a given sentence d>. Here d depends only on <P. 

The notion of locality inspired by Gaifman’s theorem [10] says that if the 
d-neighborhoods of two tuples di and 0,2 in a structure 21 are isomorphic, then 
21 ^ ^{di) ^ ‘p{d 2 ). Again, d depends on (p, and not on 2t. 

If all formulae in a logic are local, it is easy to prove bounds on its expressive 
power. For example, connectivity violates the Hanf notion of locality, as one 
cycle of length 2m and two disjoint cycles of length m realize the same multiset 
of isomorphism types of neighborhoods of radius d as long as m > 2d + 1. 
Likewise, the transitive closure of a graph violates the Gaifman notion of locality: 
in the graph in Fig. 1, one can find two elements a,b such that the radius-d 
neighborhoods of (a, 6) and (6, a) are isomorphic, and yet the transitive closure 
distinguishes these tuples. 



2d 2d 

■<Z 




Fig. 1. Locality and transitive closure 



These notions of locality, while very useful in many applications, have one 
deficiency: they all refer to ^ ^ ^ ^ , of neighborhoods, which is a very strong 

property (typically not expressible in a logic that satisfies one of the locality 
properties). There are situations when these notions are not applicable simply 
because structures do not have enough isomorphic neighborhoods! One example 
was given in [21] which discussed applicability of locality techniques to the study 
of small parallel complexity classes: consider a directed tree in which all non-leaf 
nodes have different out-degrees. Then locality techniques cannot be used to 
derive any results about logics over such trees. 

Intuitively, it seems that requiring isomorphism of neighborhoods is too much. 
Suppose we are dealing with first-order logic FO, which is local in the sense of 
Gaifman. For a structure 21, it appears that if FO itself cannot see the difference 
between two large enough neighborhoods of points a and b in 21, then it should 
not be able to see the difference between elements a and b in 2t. That is, for a 
given formula (p{x), if radius-d neighborhoods of a and b cannot be distinguished 
by sufficiently many FO formulae, then 21 [= p{a) ^ y^(b). 

Gaifman’s theorem [10] actually implies that this is the case: if p is of quan- 
tifier rank k, then there exist numbers d and I, dependent on k only, such that 
if radius-d neighborhoods of a and b cannot be distinguished by formulae of 
quantifier rank I, then 2t ^ p{ci) ^ p{b). 

In fact, it seems that if a logic is local (say, in the sense of Gaifman), then 
for each formula p there is a number d such that if the logic cannot distinguish 
radius-d neighborhoods of d and b, then p{d) ^ p(b). 

The goal of this paper is to introduce such notions of locality based on log- 
ical indistinguishability of neighborhoods, and see if they apply to logics that 
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are known to possess isomorphism-based locality properties. Since logical equiv- 
alence is often captured by Ehrenfeucht-Fraisse-type of games, we shall refer to 
such new notions of locality as , , . ^ . 

We shall discover that the situation is more complex than one may have 
expected, and passing from isomorphism-based locality to game-based is by no 
means guaranteed for logics known to possess the former. 

To be able to talk about general game-based locality notions, we need a 
unifying framework for talking about logical games that subsumes games for 
FO, and many of its counting and generalized quantifier extensions. A game is 
described via an , ■ , > which is a collection of ^ , and each tactic is a 

set of partial functions according to which the game is played. We present this 
framework in Section 3. 

To analyze game-based locality, we then study conditions on agreements that 
guarantee one of the locality notions. We look at three progressively more com- 
plex notions: weak locality, Gaifman-locality, and Hanf-locality, which are de- 
scribed in Section 4. Weak locality is a variation of Gaifman-locality that ap- 
plies to non-overlapping neighborhoods. In general, establishing some variation 
of game-based locality for a logic L does ^ ^ imply that fragments or extensions 
of £ will possess the same locality property. 

Weak locality turns out to require very little and holds for so-called . 
agreements, as shown in Section 6. While most games of interest are based 
on basic agreements, we give an example of one unary generalized-quantifier 
extension of FO which fails weak locality. 

In Section 7, we study Hanf-locality under games and show that it holds 
for a class of agreements that we call matching. These include games for some 
counting extensions of FO, but game-based Half-locality fails for FO itself (as 
was already observed in [25]) and some of its generalized-quantifier extensions. 

In Section 8, we study Gaifman-locality under games. We show that this no- 
tion often implies a normal form result for a logic, similar to Gaifman’s theorem 
for FO. We establish Gaifman-locality for games corresponding to FO and some 
of its extensions. 

Due to space limitations, proofs are not presented in this extended abstract. 
A full version containing all the proofs can be obtained from the authors. 

2 Notation 

We work with finite structures, whose universes are subsets of some count- 
able infinite set U . All vocabularies will be finite sequences of relation symbols 
a = {Ri, . . . , Rn); a cr-structure 2t consists of a finite universe A C U and an 
interpretation of each m-ary relation symbol in cr as a subset of A™. We 
adopt the convention that the universe of a structure is denoted by the corre- 
sponding Roman letter, that is, the universe of 21 is A, the universe of iB is B, 
etc. Isomorphism of structures will be denoted by =. 

For a relation F C A x B, we use dom(F') to denote its domain {a G A \ 
3b {a, h) G R} and rng(F) to denote the range {b G B \ 3a {a, b) G R}. We use 
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the same notation dom and rng for the domain and range of a (partial) function. 
The graph of a function f : A ^ B is denoted by graph(/) = {(a, 5) \ b = f{a)}. 

Given two tuples Oi and 02 , we write aid 2 for their concatenation. 

Next, we introduce the logics considered in the paper. First-order logic will 
be denoted by FO. Then, we define - , , Qs 

[19, 28]. Let S' C N. We denote by FO(Qs) the extension of FO with the following 
formation rule: if tp(x,y) is a formula, then ip{y) = Qsx tp{x,y) is a formula. 
The semantics is as follows: 21 \= (p(a) if |{a | 21 |= i/^(a, a)| G S. One could also 
define FO extended with a collection of simple unary generalized quantifiers. 

We consider one special case of unary quantifiers: . , - , (cf. [23, 

24, 28]). If S = {n • p I n G N}, then we write Qp instead of Qg. 

Finally, we define a powerful counting logic that subsumes most counting 
extensions of FO, in particular FO extended with arbitrary collections of unary 
generalized quantifiers. The structures for this logic are two-sorted, being N the 
second sort. There is a constant symbol for each k € N. The logic has ^ ^ 
connectives V and /\, and ^ ^ ^ ^ : if is a formula and x a tuple of 

free first-sort variables in <p, then is a term of the second sort, whose free 
variables are those in p except x. Its value is the number of tuples d that make 
p(a, •) true. This logic, denoted by £oow(Cnt), defines all properties of finite 
structures. 

To restrict it, we use the notion of quantifier rank qr(-) which is defined 
as the maximum depth of quantifier nesting (1 , . ^ , quantification over the 
numerical universe for two-sorted logics). For £oow(Cnt), we also define qr(#x.(p) 
as qr(p) -|- |S|. 

We now define as £oow(Cnt) restricted to formulae and terms 

that have finite rank. This logic subsumes known counting extensions of FO, but 
cannot express many properties definable, say, in fixed-point logics or fragments 
of second-order logic [20]. 

3 Games and Logics 

We now present the first way of abstractly viewing games such as Ehrenfeucht- 
Frai'sse games, as well as games for counting and unary-quantifier extensions of 
FO. Such games are played by two players, the ^ ^ , and the . , , , on 

two (j-structures 21 and iB. The goal of the spoiler is to show that the structures 
are different while the duplicator is trying to show that they are the same. 

In most games, the spoiler and the duplicator agree on a class of relations 
before the game starts, that is, for each A,B C U, they have sets S'(A, B) = 
{Ti{A, B), . . . ,Ts{A, B)}, where each Bi{A, i?) is a a family of subsets of Ax B. 
The game starts with a position {do, bo), where do G A'-, bo G B^ {I could be 
0). After i rounds, the ^ ^ , , of the game consists of (oq, oi, . . . , Ui) in 21 and 

{bo, bi, . . . , bi) in iB. Given a position {dod, bob) after round i, the game proceeds 
as follows: 




Game-Based Notions of Locality over Finite Models 



179 



1. The spoiler selects a structure, 21 or iB. 

2. The duplicator picks a family of relations T{A,B) e ^(A,B), if the spoiler 
selected 21, or B(B, A) G S'(-B, A), if the spoiler selected 05. Assume that the 
spoiler chose 21, the other case being completely symmetric. 

3. The spoiler chooses one relation F G F(A, B) and an element a € dom(T'). 

4. The duplicator responds with an element b G rng(T') such that (a, 6) G F, 
and the game continues from the position (agda, bobb). 



We now present games corresponding to FO, £^^^(Cnt), and FO(Qp). 

— If ^{A,B) = {{A X B}} for every A,B C U, then this is the usual 
Ehrenfeucht-Fraisse game: the spoiler is free to choose any point in A, and 
the duplicator is free to choose any point in B. 

— Let /i,...,/r enumerate all the bijections A ^ B. Suppose ^{A,B) = 

{{graph(/i)}, . . . , {graph(/j.)}}. Then we have the . . game of [14]. 

In this game, in each round, the duplicator selects a bijection / : A — > i?; 
the spoiler plays a G A and the duplicator responds by /(a) G B. 

— Given A, B C U, consider sets 1F(A, B) of the form {Ci x Di \ C{ C A, Di C 
B,i & I}, where every subset of B occurs as one of the Di's, and \Ci\ = 
\Di\ (mod p) for each i. ^{A,B) consists of all 1F(A, i?)’s of this form. This 
is the setting of the game for modulo p quantifiers Qp [24]. In each round 
of this game, the spoiler chooses D F B and the duplicator selects CCA 
with |C| = |I?| (mod p). Then the spoiler plays a G A and the duplicator 
responds with b G B such that a G C iS b G D. 



The presentation of games given above is standard in the literature. For 
stating results in the paper, we shall use a slightly different way of presenting 
games. Suppose we have a position (dod, bgb) in the game, and the duplicator 
chooses a family F(A, B) G 1?(A, B). By doing so, the duplicator is certain that, 
no matter what relation F G F{A^ B) the spoiler chooses, for every a G dom(F'), 
he has a response b G rng(F). That is, for every F G F{A,B), the duplicator 
has one or more, ^ ^ ^ ^ f : A ^ B with graph(/) C F, such that if the spoiler 

plays a G A, he can respond with /(a) G B. From now on, we shall be defining 
games using such a functional approach. 



Definition 1. agreement ,, 

, , , U). ' 1?(A,B) ' ,, “ 

m>Q, ^ . Fi{A,B) ^ , I I ■ ’ I 

B , ,, ,, , , ^i{A,B)’^ tactics 

5^ game, , (a,_oo) , . (*B,&o) , . ' - 

, , , , , {dod, bob) ( , , , 

, , , - * + 1 



= {d{A,B) I A,B 
„ , {Fi{A,B),...,Fra{A,B)}^ 

f--A^ 




i 

') ‘ 



, , , , 2t , <8 „ 

' , ‘ ‘ HA,B)g^{A,B) 

, , > , , , , ^ , , , / € B{A,B) , , , , a G 

dom(/) , , , , , , , , , , , , , {aoaa, bobf{a)) 
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- k , , 0 , - d{B,A) 0 , , - 

, , V' , , 'k" ‘ ' (a,ao)4 (<B,6o) 

One can pass from the usual representation of games to the functional one 
without loss of generality: 

Lemma 1., , 1?' = B)}, S'(A,B) 

, , , , , A,B c , , ' . , S' , 

> I I I —k I - —k I I - ^ 

We now return to games seen in the previous example, and show how 
they look under the functional approach. We define three agreements: 5^(FO), 
l?(/:^,(Cnt)), and l?(FO(Qj,)). 

— 5^(FO): a tactic is a singleton set {/}, where f : A ^ B is a, total function. 
Then S'(A, B), for each pair of finite sets (A, B), contains all possible tactics. 

— same as above, except that each tactic is {/} where f : A ^ 
B is a bijection (there are no tactics if |A| yf |i?|). 

— g'(FO(Qp)): given A,Bc U, a tactic is a set B of partial maps such that 
for every D C B, there exists f G !F such that dom( f) = A and ||c S A I 
/(c)e^|.>|(modp). 

Definition 2. , , , 5^ - . game for a 

logic C, , I , , , , {Co, Cl,...} B ^ 

, fc > 0, ' , , fc' > 0 

(2t,do)=f (lB,5o) , , , (21 ^ <p(ao) $ h ‘/?(^o)), ,, ,, tp G Ck. 

. fc' > 0 _ i , , fc > 0, 

, (21, do) =i ($,5o). ' , 21 h ^(do) ^ h cih) ’ P G Ck. 

^ ^ S'., capture C 

Games are usually applied to prove ^ i , , / ' results, in which case one 

only needs the condition that a given game is a game for a logic. In many cases, 
however, the converse holds too, that is, games completely characterize logics. 
The following is a reformulation, under our view of games, of standard results 
on characterizing logics by games [5, 17, 14, 16, 24, 28]. 

Proposition 1. , C ^ ^ ^ ^ , FO, ^ . FO(Qp), ^ S(>C) r , 

' ■ , ^ ‘ Ck , \ r , , , , ' , < fc 



4 Locality 

Given a cr-structure 21, its . ' > denoted by G(2l), has A as the set 

of nodes. There is an edge (oi, 02 ) in G(2l) iff there is a relation symbol i? in a 
such that for some tuple t in the interpretation of this relation in 21, both a\ , a 2 
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occur in t. By the _ ^ ^ rf(ai, 02 ) we mean the distance in the Gaifman graph, 

with d{a, a) = 0. If there is no path from ai to 02 in G(2t), then d{ai, 02 ) = 00 . 
We write d{d, b) for the minimum of d{a, b) over a from d. 

Let 21 be a cr-structure, and d = {ai, . . . ,am) G The _ , t . 

^ - a is the set B^{d) = {b G A \ d{d,b) < r}. The r ^ 

, . d = (oi, . . . , am) , 21 is the structure N^{d) of vocabulary a expanded with 
n constant symbols, where the universe is B^{d); cr-relations are restrictions of 
(T-relations in 21 to B^{d), and the n additional constants are Oi, . . . , a„. 

Since we define a neighborhood around an m-tuple as a structure with ad- 
ditional constant symbols, for any isomorphism h between iV®(ai, . . . ,Om) and 
iV®(6i, . . . , bm), it must be the case that h{ai) = bi, 1 <i <m. 

Let 21, 05 be cr-structures, where cr only contains relation symbols. Let d G 
and b G i?™. We write (21, a)^d(05, b) if there exists a bijection f : A ^ B such 
that Nf{dc) and IV®(6/(c)) are isomorphic, for every c G A. This definition is 
most commonly used when m = 0; then 21^^03 means that for some bijection 
f : A ^ B, Nf{c) ^ Nf{f{c)) for all c G A. That is, 2t^d» iff 21 and 05 
realize the same multiset of isomorphism types of d-neighborhoods of points. 

We say that a formula (f(x) is ^ , , if there exists a number d > 0 such 

that 21 1= (fi(d) 05 ^ ip(b) whenever (21, d)^d(05, 6). This concept was first 
introduced by Hanf [13] for FO over infinite structures, then modified by [8] to 
work for sentences over finite models. 

Gaifman’s theorem [10] states that every FO formula (f(x) is equivalent to 
a Boolean combination of sentences and formulae in which quantification is 
restricted to B^{x), with r determined by <p. In particular, this implies that 
for every FO formula, we have two numbers, d and k, such that if 21 and 25 
agree on all FO sentences of quantifier-rank < k and N^{d) = iV®(5), then 
21 ^ (fi{d) ^ fib) - This concept is normally used when 21 = *B; then it says 
that a formula ip{x) is . if there exists a number d > 0 such that 

for every structure 21, if Nf{di) = Nf{d 2 ), then 21 \= ip{di) ^ v{d 2 )- 

A formula ff{x) is , [21] if the above condition holds for disjoint 

neighborhoods: that is, there is a number d > 0 such that for every structure 21, 
if Nf{di) = Nf{d 2 ) and Bf{di) n Bf{d 2 ) = 0, then 21 ^ >p{di) ^ ^{^ 2 )- 
The following implications are known [15,21]: Hanf-local Gaifman-local 
weakly-local. Examples of logics in which all formulae are Hanf- (and hence 
Gaifman and weakly) local are all the logics considered so far: FO, FO(Qp), 
£J^;^(Cnt) [10,15,20,23]. There are examples of formulae that are Gaifman- 
but not Hanf-local [15] and weakly but not Gaifman-local [21]. 

We now state the definition that relaxes the concept of locality, by placing 
requirements weaker than isomorphism of neighborhoods. For d,l > 0, we use 
the notation (2t, d)^|;(Q5, 6) if there exists a bijection f : A ^ B such that 
Nf{dc) =f N^(hf{c)) for every cG A. 

Definition 3. , , Hanf-local , , . G N, 

d,^GN, , 21,05, d G A"" , . 6 e H”", 

(2l,d)t^|;(»,&) ^ (2t,d)^f (»,6). 
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,, Gaifman-local , . fc,m € N, i ^ ^ d, ? € N ^ 

' , , , 2t,$, d G A™ , _ 5 g B^, 

2t^f$ Nf{a)=fN^{b) ^ (a,d)^f ($,5). 

weakly-local , . fc,mGN, i ^ d, / G N ^ 

a, d G A™ ' _ & G A™, 

Nf{a) Nf{b) , _ Bf{a) n Bf{b) = 0 ^ ( 2 t, d) (a, b). 

Our main question is the following: ^ ^ ^ ^ ^ ^ Or, 

more precisely: suppose g-games are games for a logic £; is g Hanf-, Gaifman-, 
or weakly-local? 

If a logic is local under its games, we need an assumption than iso- 

morphism in order to prove that formulae cannot distinguish some elements of 
a structure. Gonsider, for example, the case of Gaifman-locality, applied to one 
structure a. Normally, to derive ip{ai) ^ ‘p(a 2 ), we would need to assume that 
Nj^{ai) = Nii{a 2 ) for some appropriate d. But suppose we know that (p comes 
from a logic Gaifman-local under g-games. If k is such that (a, di) =f (a, d2) 
implies p^{a\) ^ ^^{ 0 , 2 ), then we find d, ? G N that ensure 

fvj‘(di) ivj‘(d2) ^ (a,di)^f (a,d2) ^ a h -- <p(d2). 

Thus, instead of isomorphism of neighborhoods, we have a weaker require- 
ment that they be indistinguishable by the g-game, in I rounds. 

Even though the notion of locality under games is easier to apply, it is harder 
to analyze than the standard isomorphism-based locality. For example, if a logic 
C is local (Hanf-, or Gaifman-, or weakly) under isomorphisms, and C' is a 
sublogic of £, then C is local as well. The same, however, is ^ ^ true for game- 
based locality, as we shall see, as properties of games guaranteeing locality need 
not be preserved if one passes to weaker games. 



5 Basic Structural Properties 

We now look at some most basic properties of agreements that are expected 
to hold. Intuitively, they are: (1) the spoiler is free to play any point he wants 
to; (2) the duplicator can mimic spoiler’s moves when they play on the same 
structure; (3) the games on (21, 25) and (25, €.) can be composed into a single 
game on (21, £), and (4) agreements do not depend on a particular choice of 
elements of U. 

Definition 4 . , ^ - admissible , ^ ^ 

() , ,T{A,B)e:S^ [j{dom{f)\feJ^{A,B)} = A( ,,, 

, . ' , ' ; 

(), ^ AcU, , , , .F(H,H) G g, ,f&T{A,A)^ 

- , ' , , dom(/) f 
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() , , e B{A,B) o B{B,C) = 

{gof\fGB{A,B) , _ g€B{B,C)} , , ^ ) 

( ) . T{A, B) , ^ :s , - g- ^ ^ A, h-.B ^ B' . . 

{hofog\f&T{A,B)} , , A',B' (. - 

U) 

It is an easy observation that the agreements 5^(FO), 3^(£^j^(Cnt)), and 
iJ(FO(Qp)) are admissible. 

Proposition 2. . ^ ^ ^ 1? , m, /c>0, 

( )=l (2l,d),deA- 

C) . , (2l,d)=f (®,/i(d)) 

In many logics, the equivalence classes of =® are definable by formulae (they 
correspond to ^ , , or rank-A: types, as k typically refers to the quantifier rank). 

Then definable sets are unions of types. We introduce an abstract notion of 
definable sets: a set S' C is (5^, A:)-. ^ in 2t if it is closed under =|: 

that is, d G S and (2t, d) =f (2t, di) imply di G S. For admissible agreements, 
definable sets behave in the expected way. 

Proposition 3. , U ^ ^ ' ■ , - , (5^> ^) - , / , , 





G?, k+{) 



6 Weak Locality 

We now move to the first locality condition, weak locality. In many applications 
of locality, at least for proving expressibility bounds, one actually uses weak 
locality as it is easier to work with disjoint neighborhoods (see, e.g.. Fig. 1). 
While examples of weakly-local formulae violating other notions of locality exist, 
they are not particularly natural [21]. 

To guarantee weak locality, we impose two very mild conditions on 5^-games. 
The first has to do with compositionality. Composition of games is a standard 
technique that allows one to use 21 =f 21' and 25 =f 25' to conclude "^^(21, 25) =f 
7f(2t',25'), for some operation 7i (see, e.g., [22] for a survey). While in general 
such compositionality properties depend on the type of games and the operator 
Ti., there is one scenario where they almost universally apply: when Ti. is the 
disjoint union of structures [22] (in fact, I is usually equal to k in this situation). 
We want our games to satisfy this property. We use U for disjoint union of sets 
and functions. 

Definitions. . , ^ compositional, ,, . T{A,B) 

^ ^ g{C,D) ^ ‘ AC^C = BC^D = %, ‘ T{A,B)‘ug{C,E)) 

- r, , , ,,, f ,■ HAB) 

,‘g-.C^b,[, g(C,D)‘/V^ 
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The second condition says that if in a game 21 =f 25, both players play 
restricted to subsets CCA and D C B, then such a game may be considered as 
a game on substructures of 21 and iB generated by C and D, respectively. Again, 
this condition is true for practically all reasonable games. 

We formalize it as follows. We denote the set of all nonempty restrictions 
of partial functions from !F{A,B) to C C A by !F{A, B)\c- Consider a tactic 
1F(A, B), and nonempty sets CCA and D C B. We say that 1C(A, B) is ^ ^ 

. , to (C, C) if a G C /(a) G D for every / G T{A, B) and a G dom(/). 

Definition 6. ^ ^ ^ ^ shrinkable , r T{A,B) G 5^, ^ . 

, , , ■ ' , , C* ^ ^ ^ ^ ^ , (C,D), \ 

‘HA,B)\c , ' ' , (C,C) ‘ ' 

1 ? , // - basic , ^ ^ ^ ^ . , , - , . , , , , > 

A simple examination of the agreements seen so far in this paper shows: 
Proposition 4. , , ^ ^ 5'(FO), l?(/:^^(Cnt)) 5^(FO(Qp)) 

Recall that an agreement ^ is weakly-local if for every k,m > 0, there exist 
d,l >0 such that for every structure 2t and every a, & G A™, if Nf{d) =f Nf{b) 
and the neighborhoods Nf{d) and Nf{b) are disjoint, then (21, a) (21, b). We 
define the ^ ' , , / denoted by wlr 5 (fc,m), as the 

minimum d for which the above condition holds. 



Theorem 1. , 

wlr^{k, m) = 0(2*^) 






Corollary 1. 


, , l?(FO), j?(£^JCnt)) , 


- ^(FO(Qp)) 



That is, FO, FO(Qp), and are weakly-local under their games. 

Nevertheless, there are extensions of FO with simple unary generalized quan- 
tifiers that are not weakly-local under their games. 

Let Prime be the set of primes and Qpmme the corresponding generalized 
quantifier. That is, FO(Qprime) extends FO with formulae QprimeJ/ ‘p{x,y) such 
that 2( 1= Qprime?/ tp{d, y) if |{a | 2t ^ ^(a, a)}| is a prime number. We show that 
FO(Qprime) is not weakly-local under its games. 

We first define the agreement 5 ^(FO(Qprime))- For two finite sets A,BcU, 
a tactic is a set T of partial maps such that for every nonempty D C B, there 
exists f & T such that dom(/) = A and |/“^(C)| G Prime iff \D\ G Prime. (In 
terms of the game, in every round the spoiler selects a set D C B; the duplicator 
selects CCA such that |C| is prime iff |D| is. Then the spoiler plays a G A and 
the duplicator responds with b G B such that a G C iff & G D.) Notice that this 
agreement is not compositional, and hence not basic. 

It is known [28] that for every FO(QpRiME)-formula (p{x) of quantifier rank k, 
if (21, a) (55 5 )^ •qi ^ iff iB |= if{b). Thus, to show that 

FO(Qprime) is not weakly-local under its games, it suffices to prove the following: 
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Proposition 5. 5 ^(FO(Qprime)) , , , . 

For this, we give a formula f{x) such that for every d,l > 0, there is a 
structure 21 and a,b G A such that Nf{a) Nf{b), Bf{a)nBf{b) = 

0, and yet 2t ^ ip{a) A ~^ip{b). 

Let cr be a signature of a unary relation R and a binary relation E, and let 
d,l > 0. Consider the structure 21 whose if-relation is shown in Fig. 2 below; 
the relation R is interpreted as the set of all a^’s, bi’s, and Ci’s. Let ip{x) be 
QpRiMEy {R{y) a ^E{x, y)). 



a b c 




Fig. 2. A structure for proving that FO(Qprime) is not weakly-local under its games 

There are infinitely many primes r such that all the numbers r — i {i < 
1) are composite. Choose two sufficiently large p,q {p yf q) from this set so 
that Nf{a) Nf{b) (notice that d can be taken to be 1, without 

loss of generality). By Dirichlet’s Theorem, the arithmetic progression np + q 
(n = 0, 1, . . .) contains an infinite number of primes. Let n > 1 be such that 
np + q is a, prime and let s = np. Then, 21 ^ ‘fiia), since q + s = np + q is 
prime, and 2t ^ p{b), since p + s = {n + l)p is composite. Thus, the agreement 
1 J(FO(Qprime)) is not weakly-local. 



7 Hanf-Locality 

We now present a condition that guarantees Hanf-locality of agreements. While 
still easy to state, this condition already fails for some logics, notably for FO. 

We say that E{A,B) is a, ^ , tactic, if the union U/g.?'(a s) §''^P^(/) 
is a matching on Ax B. That is, the union of all the functions from 1F(A, B) is 
a partial bijection. For example, all the tactics in 5^(£^j^(Cnt)) are matching. 

From a tactic E{A^ B) we define a relation as the minimal relation 

that contains graph(/) and satisfies the following: if a ^b(a,b) b' , 

a' ~b(a,b) b and /(a') = b' for some / G E{A, B), then a ~j^(^a,b) b. 

Another way of looking at this relation is the following: a ~j^(a,b) b if there is 
a sequence (ao, 6i, ai, 62, 02, • ■ • , &m-i, am-ij &m) where oq = a, bm = b, and for 
every i, there are /, /' G E{A, B) such that bi = f{ai-i) = f'{ai), 1 < i < m — 1, 
and bm = /(am-i) for some / G E{A,B). 

Definition 7. r , , d , - matching , , T{A,B) G 

^ Q{A,B)g^^ Ugea(vi,B)gi'apli(g) , 



•y^{A,B) 
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If every tactic in an agreement is matching, then the agreement itself is 
matching. However, some agreements can be matching and have non-matching 
tactics (examples will be given in the full version of the paper). The following 
holds trivially: 

Proposition 6. , , ' ' ■ , 

Recall that an agreement U is Hanf-local, if for every k,m > 0 there exist 
d,l > 0 such that, for every two structures 2t, IB and every d G A™ and b G B™, 
if (2t,a) then (21, a) ($,5). The minimum d for which the above 

condition holds is called the is denoted 

by hlr 5 (/c, m). 

Theorem 2. , , , i? . r . , , 

. ^ , hlr^{k,m) = 0(2^) 

Corollary 2. l?(/:^„(Cnt)) ^ ^ ^ . hlr 5 (£ _^(c„t))(fc, m) = 0(2'=) 

Thus, £^^(Cnt) is Hanf-local under its games. This nice behavior, however, 
does not extend to other logics known to possess the isomorphism-based Hanf- 
locality property. 

Proposition 7. (see [25]) FO ^ . FO(Qp) not ^ ^ . 



For FO, this is proved by taking Gi to be the complete graph with 2N 
vertices, and G 2 to be the disjoint union of two complete graphs with N vertices 
each. For every d and I, any bijection between the nodes of these graphs witnesses 
as long as N > I, and yet Gi and G 2 disagree on 3x3y^E{x,y). 
For FO(Qp), the same proof works, but N is taken to be p • (/ -I- 1). 

8 Gaifman-Locality 

Recall that is Gaifman-local if for every k,m > 0 there exist d,l > 0 such 
that, for every 21 and 05 and every d G and b G R™, we have (21, a) =f 
(05, &) whenever 21 =f 18 and Nf{d) =f N^(b). The minimum such d is called 

, , 1?, and denoted by lr;j(fc, to). 

Our goal is to show that agreements defining games for FO, FO(Qp), and 
£^^(Cnt), are all Gaifman-local. The proof of this fact is easier for more ex- 
pressive logics such as £^^(Cnt) (this will be explained shortly). In that case, 
one can show the following: 

Lemma 2. ^ ^ ^ ^ , , , ■ , , ^ 

- lrg(k, m) < 3 ■ hlrg(k, m) + 1 

This tells us that £^^(Cnt) is Gaifman-local under their games: 

Corollary 3. j?(£^„(Cnt)) , . Ir 5 (£ ^(cnt))(k,m) = 

0(2'=) 
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We next move to Gaifman- locality for FO and FO with modulo quantifiers. 
Gaifman-locality for them is the hardest of the locality conditions we consider 
here, mainly because of the following three reasons. First, it requires reasoning 
about overlapping neighborhoods, which is known to cause complications in the 
study of locality (see, e.g., [11]). Second, it is a strong notion that implies the 
existence of normal forms for logical formulae. Such normal forms have been 
shown for FO [10,25]. Third, while establishing Gaifman-locality and normal 
forms, we match the best bound for Gaifman-locality rank for FO, 0(4^). (In 
Gaifman’s original proof, it was 0(7*), the 0(4*) bound is from [18]. For the 
“one-structure” version, and the isomorphism-based locality, the bound can be 
further reduced to 0(2*) [20].) 

We now show that logics which are Gaifman-local under their games admit 
a normal form, under the condition that the relations are of finite index (as 
they are for FO and several other logics) . In that case, every formula is equivalent 
to a Boolean combination of sentences and formulae evaluated in a neighborhood 
of its free variables. More precisely, for a logic C that satisfies the basic closure 
properties of [4] (that is, any reasonable logic, e.g., closed under V, A, ^), we can 
show the following. 

Theorem 3. £ , , ' ; ■ 

, - ' , -I ^ ^ ^ 

<Pl, . . . C , , , , . , , £l(S), • ■ • 

/3: {0,1}"+™ ^{0,1}, 

2th £(a) ++ /?(<?i(2t),...,<l>„(a),^i(iV®(a)),...,(^„(iV|‘(a))) =1 



'=> 
— k 



. jC. 






1 , 21 h 

0 , 21 h 






1 - Nf{a) h Vj{a) 

0 - Nf{a) h -£i(a). 



Thus, proving Gaifman-locality under games is comparable to proving a re- 
sult like Gaifman’s theorem itself. We now do this for FO and the following 
generalization of FO(Qp). 

If pi,...,pr is a sequence of numbers, then FO(Qpj , . . . , Qp^) ex- 
tends FO with all the generalized quantifiers Qpds. This logic is cap- 
tured by 5^(FO(Qp^, . . . , Qp^))-games, where each tactic in the agreement 
U(FO(Qpi , . . . , Qp,,)) is simply a union of tactics from each of the 3^(FO(QpJ)’s. 



Theorem 4. , ^ , ^(FO) , l?(FO(Qp, , . . . , QpJ)_, , 

, , Pi,---,Pr. , S' , , , lr 5 (fc,m) = 0(4*) 



Note that the bound shown for both FO and FO(Qp^, . . . , Qp,,) matches the 
best bound previously known for FO [18]. Furthermore, since for both FO and 
U(FO(Qpi, . . . , Qp,,)) the relation =| is of finite index, the normal form result 
(Theorem 3) applies to them. For FO, this is of course known and follows from 
local normal forms of [10, 25]. Our proof, however, is new, and is based entirely 
on structural properties of games. 
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9 Conclusions 

We looked at the natural extensions of three standard locality notions that use 
logical equivalence (or equivalence under games) of neighborhoods, as opposed 
to a much stronger condition of isomorphisms. Such locality notions can be 
applied in several scenarios where the standard isomorphism-based notions of 
locality are inapplicable. In fact, their applicability to FO has already been used 
in data exchange and integration scenarios to help draw the boundary between 
rewritable and non-re writ able queries [1]. 

We defined an abstract view of games that let us consider the notions of 
locality in an abstract setting, independent of a particular logic. This approach 
is applicable to many logics which are captured by games and whose types are 
definable in the logic itself (with some exceptions, of course, such as finite vari- 
able logics [3], but some of them are non-local). We identified conditions that 
guarantee the main notions of locality for those games. 

The notions for which most questions remain is Gaifman-locality. Unlike oth- 
ers, which admit 0(2^) bounds on locality rank, for Gaifman-locality we could 
only show a 0(4^) bound, and even that matches the very recently discovered 
bound for FO, as those previously known were of the order of 7*. We would 
like to settle the case of Gaifman-locality completely, by finding natural condi- 
tions for it that account for all the known cases, and by precisely calculating the 
locality rank. 
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Abstract. For nested or heterogeneous datatypes, terminating recur- 
sion schemes considered so far have been instances of iteration, exclud- 
ing efficient definitions of fixed-point unfolding. Two solutions of this 
problem are proposed: The first one is a system with equi-recursive non- 
strictly positive type constructors of arbitrary finite kinds, where fixed- 
point unfolding is computationally invisible due to its treatment on the 
level of type equality. Positivity is ensured by a polarized binding system, 
and strong normalization is proven by a model construction based on sat- 
urated sets. The second solution is a formulation of primitive recursion 
for arbitrary type constructors of any rank. Although without positiv- 
ity restriction, the second system embeds — even operationally — into the 
first one. 



1 Introduction 

Recently, higher-rank datatypes have drawn interest in the functional program- 
ming community [Oka96, HinOl]. Rank-2 non-regular types, so-called^ ^ . 

^ , have been investigated in the context of the functional programming lan- 

guage Haskell. To define total functions which traverse nested datastructures, 
Bird et al. [BP99a] have developed , ^ which implement an iter- 

ation scheme and are strong enough to encode most of the known algorithms 
for nested datatypes. In this work, we investigate schemes to overcome some 
limitations of iteration which we expound in the following. 

Since the work of Bohm , [BBSS] it is well-known that iteration for rank-1 
datatypes can be simulated in typed lambda calculi. The easiest examples are 
iterative definitions of addition and multiplication for Church numerals. The 
iterative definition of the predecessor, however, is inefficient: It traverses the 
whole numeral in order to remove one constructor. Surely, taking the predecessor 
should run in constant time. 

is the combination of iteration and efficient predecessor. 
A typical example for a primitive recursive algorithm is the natural definition 
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of the factorial function. It is common belief that primitive recursion cannot be 
reduced to iteration in a computationally faithful manner. This is because no en- 
coding of natural numbers in the polymorphic lambda-calculus (System F) seems 
possible which supports a constant-time predecessor operation (see Splawski and 
Urzyczyn [SU99]). 

In this article, we present two approaches to overcome the predecessor di- 
lemma for higher-rank datatypes. A ^ solution, presented in Section 2, is 
System Fix“ of non-strictly positive equi-recursive type constructors, which han- 
dles folding and unfolding for fixed points on the level of types, trivially yielding 
an efficient predecessor. Fix‘^ is proven strongly normalizing in Section 3. Even 
though the system has no native means of recursion, a powerful scheme of primi- 
tive recursion is definable in Fix‘^. This schema is embodied in our formulation of 
a^ ^ ^ . system MRec“, given in Section 4. In Section 4.2 we give an extensive 
example of a function which can most naturally be implemented with primitive 
recursion — redecoration for triangular matrices. Finally, we give the details of 
the definition of MRec“ within Fix“, hence establishing strong normalization of 
the primitive recursion scheme as well (Section 5). 



2 System Fix^^ 

Since Mendler [Men87], it is known that type equations of the form X = A with 
X a type variable and A a type expression, can only be added to system F in 
case X only occurs positively in A. Otherwise, strong normalization of typable 
terms is lost. In this section, we show that the positive part of Mendler ’s finding, 
namely strong normalization in the case where X only occurs positively in A, 
can be extended to equations for type constructors of arbitrary finite kind, hence 
within the framework F“ of higher-order parametric polymorphism. 

Equations in solved form, i. e., with a constructor variable on the left-hand 
side, can equivalently be treated by an explicit type constructor for fixed-points 
[Urz96]. In the case of fixed-points of types, the purported solution of X = C 
would be written as the type f\xX.C, with its characteristic equation being 
f\xX.C = [fix A.C/XJC. In the case of nested datatypes, we are interested in 
equations like X A = A-FA(A X A), where A now denotes a . , • 

This would be solved by PList = fixX.AA. A + X{A x A). PListA stands for 
powerlists over A, i. e., lists with 2” elements of type A, for some (unspecified) 
n, which can clearly be seen to be the least fixed-point of the above equation. 
With function kinds at hand, we can pass from fixX.C to fixE with F := XX. C, 
which is a type transformer. 

A manifest idea to isolate positive constructors systematically is to distin- 
guish covariant (monotone), contravariant (antitone) and invariant (no informa- 
tion about monotonicity) constructors through the binding system. Such systems 
have been found independently by L. Cardelli, B. C. Pierce, the first author 
and others, but published only by Steffen [Ste98] and Duggan and Compagnoni 
[DC98]. In both publications, polarized kinds are used to model subtyping of 
container types like lists and arrays in object-oriented calculi. We are reusing 
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Polarities p 



Kinds 

Constructors 
Objects (terms) 
Contexts 



K 

A, B, F, G 
r,s,t 

A 



+ covariant 
— contravariant 

o invariant 

* \ pK —> K 

X I XXP"".F\ FG\A^B\ VA'".A | fixF 
X I \x.t I r s 
o I A,x-.A I A,X^’^ 



Table 1. Language of Fix“ 



their ideas to formulate positive recursive constructors in a strongly normalizing 
language. 

Each function kind k ^ k' is decorated with a polarity, yielding pn k! 
in Duggan and Compagnoni’s notation. For covariant constructors, p = +, for 
contravariant, p = —, and p = o if the constructor is neither co- nor contravariant 
or its variance is unknown. Consequently, abstracted variables now carry binding 
and polarity information. For instance, we have 

AX+(+*^*UA+*. X{XA) : +(+* ^ ^ (+* ^ *). 

The binding expresses that o AT is covariant if X is, and that the “twice” 
operation XX. X o AT is itself covariant on covariant arguments, meaning that we 
may form its fixed point, which would in turn be covariant. ^ We can also classify 
invariant constructors, e. g., XA°*. A ^ X (A x A) : o* ^ * for invariant X 
that occurs covariantly, indicated by jn tbe context, and contravariant 

constructors like XX~*. A" ^ _L : — * ^ Consequently, AX+*. (AT ^ _L) ^ _L : 
+* ^ *, which hence includes non-strictly positive type transformers.^ 

, ^ , Fix“ Table 1 shows the syntactic entities of System Fix“, an ex- 

tension of F“ by polarized kinds and fixed-points of constructors. Typically, the 
empty context “o” will be suppressed. Furthermore we assume all variables in a 
context A to be pairwise distinct. Capture-avoiding substitution of constructor 
G for variable X in constructor F is written as [G/X]F, likewise substitution 
in terms is denoted by [s/x]t. As usual, it is assumed that constructor applica- 
tion and term application associate to the left, e. g., FGX denotes {F G) X and 
(Xx.r)st denotes {{Xx.r) s)t. Iterated applications may be “vectorized”, i. e., 
rti . ■ .tn will be written as rt with t \= t\, . . . ,tn- Then, |t| := n. 

While we are using Curry-style objects to express solely the operational be- 
havior, for the type constructors we decided on Church style in order to simplify 



^ The kind of XX. X o X obtained here is a syntactic approximation and simplification 
of the more logic- based concept of rank-2 monotonicity introduced in [MatOl]. 

^ Most dependently typed systems such as Coq do not allow non-strict positivity for 
their native fixed points due to the consistency problem reported in [CP88]. 
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the semantics definition in Section 3. The same decision has been taken by 
Giannini et al. [GHR93], where equivalence with pure Ghurch typing is also es- 
tablished. Note, however, that impredicative systems with dependent types are 
richer in this mixed style [vBL+97]. 



^ ^ , - ( , , ' , Negation of a polarity —p is given by the 

three equations -(-I-) = — , — (— ) = + and — (o) = o. We define application pA 
of a polarity p to a polarized context A. Positive polarity is neutral and changes 
nothing: +A = A. The operation —A reverses all polarities in A. Furthermore 
oA discards all co- and contravariant type variable bindings. 



^ ^ , We introduce a judgement A\- F : k which combines the usual notions 

of wellkindedness and positive and negative occurrences of type variables. It 
assures that fixed-points can only be formed over positive type constructors. 

e Z\ p e {+, o} A,XP^^ F: k' A^ F :pK^ k' pAh G : k 
Ah X : K Z\ h \XPh F -.pK^ k' Ah FG: k' 

AhB-.* AhF-.+K^K 

Ah A ^ B Ah yXh A : * Ah f\xF : k 



Kinding is syntax-directed, and, since we are using Ghurch-style constructors, 
for given A and F, the kind «: of F" can be computed by structural recursion on F. 
As a consequence, all rules are invertible in the strong sense that we can recover 
the applied rule and all the parts of its premises from a given kinding judgement. 

The arrow in kinds and in types is assumed to associate to the right, e.g., 
A ^ B ^ G stands for A ^ {B ^ C) and -k* ^ —k k' stands for 
-k* ^ { — K k'). 

I , , We can define standard type constructors via the usual impredica- 

tive encodings and get more informative kinds: 



X 


-k* ^ -k* ^ * 








X 


= \X+*\Y+*\JZ*. {X - 


4 r - 


>Z)~ 


z 


-k 


-k* ^ -k* ^ * 








-k 


= \X+*\Y+*\JZ*. {X - 


.Z)~ 


-{Y- 


-Z) 


gK 


-k(oK ^ ^ * 








gK 




FX 


-^Z)- 


z 






Notice that all these examples use non-strict positivity. We will use + and x 
infix. 



I , , The reader is invited to check the examples in the introduction, 

using T := \/X*. X of kind *. 

Kinding enjoys the usual properties of weakening and strengthening, as well 
as substitution which respects polarities: 

Lemma 1 (Substitution). , A^XP^ h F : k' . pA h G \ n ^ Ah 

[G/X]F :k' 

^ ^ , By induction on A, XP'^ h F : k! . 
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, ^ ^ ^ ' The /3-equality F = F' oi constructors F, F' is given by 

the following rules, hence only in the qualified form with contexts: 

Computation axioms. 

Z\, 'r F -.k' pA'r G: k A'r F ■. k 

A h (AXP«. F)G= [G/X]F : k ' Z\ h fix F = F (fix F) : k 

Congruences. 

XP^ g Z\ p g {-I-, o} A\- F = F' : pn ^ k' pA \- G = G' : n 
Ah X = X : K Ah FG = F'G' : k' 

A,XP^h F = F' ■. k' A,X°‘^h A = A' ■.* 

A h XXPh F = XXPh F' -.pK^ k' a h yXh A = VXh A' : * 

-Ah A' = A: * Ah B = B' : * A h F = F' : +k ^ k 
A h A^ B = A' ^ B' : * Z\ h fix F = fix F' : k 

Symmetry and transitivity. 

Ah F = F' : K Ah Fi=F 2-. K A h F2 = F3 : k 
A h F' = F : K Z\ h Fi = F 3 : K 

Lemma 2 (Reflexivity). ,Z\hF:«: ^ Ah F = F : k 

Lemma 3 (Kindedness). , Ah F = F' : k ^ A h F : k . ZihF':^ 

'"I ■ -II ' I ^ ext 

A ext 

o ext A, XP*^ ext 
' - . , Aht\ A 

(x:A)gA Z\ ext A,x:Aht:B Ahr:A^B Ahs:A 
Ah X : A Ah Xx.t : A ^ B Ah r s : B 

A,X°'^ht:A Aht:\/X^.A oAh F : k Aht:A AhA = B:* 
Aht: yXh A Z\ h F [F/X]A Ah t ■. B 

Welltyped terms are closed under substitution (as are constructors, cf. Lemma 1). 

As opposed to iso-recursive types with “verbose” folding and unfolding, equi- 
recursive types yield a leaner term language and hence a more succinct semantics. 

Lemma A. , Ah t \ A Z\ ext . Ah A : * 

^ ^ , By induction on Z\ h t : A. 

The one-step reduction relation t — > t' between terms t and t' is 
defined as the closure of the /3-axiom {Xx.t)s — [s/x]t under all term con- 
structors. We denote the transitive closure of — > by — >“*■. In the next section, 
we will see that welltyped terms to admit no infinite reduction tg — *■ F — • ■ • 



A ext Z\ h A : * 
A,x:A ext 
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, ^ ^ ^ ^ . - , , , For the type Nat := fixA^+*. 1 + ^ (using +, de- 

fined above, and 1 := VA*. A A), it is an easy exercise to define closed terms 
0 : Nat and S : Nat — > Nat (using the injections into sums) that represent the 
natural numbers, and a closed term P : Nat Nat (using the definable case 
analysis construct) such that P 0 — >+ 0 and P (S x) — x. 

3 Strong Normalization of Fix^^ 

In this section we prove strong normalization of Fix“ by a model construction 
where constructors are interpreted as operators on saturated sets. Due to space 
constraints, the proof necessarily remains sketchy, but all definitions and facts 
are given which are required to recover the detailed proof. 

As is usual for proving (strong) normalization by a model, only the type 
system has to be reflected in its construction. In System F“, this is just a 
simply-typed lambda calculus, namely the (simply-)kinded type constructors. 
Our system Fix“ additionally has the notions of monotonicity and fixed point. 
Essentially, we therefore have to give a model of a simply-typed calculus of “syn- 
tactically monotone lambda terms” . Although the reader will not be surprised 
by our solution, the authors were surprised that they were not able to find it in 
the literature. 

Following van Raamsdonk and Severi [vRS95, vRS+99] we define the set of 
strongly normalizing lambda-terms inductively by the following rules (which are 
implicity also contained in [Gog95]). 

G SN for 1 < t < \t\ t G SN [s/x]ts G SN s G SN 

xt G SN Ax.t G SN (Ax.t)ssGSN 

This characterization is sound, i.e., if to G SN then there is no infinite reduc- 
tion sequence to — ■ • ■> for a proof see,^ . Our aim is to show t G SN 
for each welltyped term t. 

3.1 Lattices of Operators on Saturated Sets 

A set of terms A is called ^ _ , A G SAT*, if it contains only strongly nor- 

malizing terms, A C SN, and A is closed under addition of strongly normalizing 
neutral terms and strongly normalizing weak head expansion: 

ti G SN for 1 < t < |t| [s/x\ts G A s G SN 
xt G A (Xx.t) s s G A 

For sets of terms A, B we define the function space A^y8:={rGSN| 
rs G ,8 for all s G A}. If A and B are saturated, so is A ^ B. Furthermore 
the function space construction is antitone in the domain and monotone in the 
codomain: if A' C A and B C B' then A ^ B C A' ^ BX 

Given an index set I and a family Ai {i G I) of saturated sets, the infimum 
rii6/ Ai is also saturated. Formation of the infimum is monotone: Given a second 
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family A!^ of pointwise greater members, Ai C A!^, the infimum is also greater 
Taking set SN as top element, the saturated sets, together 
with inclusion, (SAT*, C), constitute a complete lattice. 

In our model for Fix*^, types (= constructors of kind “*”) will be interpreted 
as saturated sets. To model constructors of higher kinds k, we need to define a 
poset (SAT'^, of (higher-order) operators on saturated sets for each kind k. 
For the base kind, let A E* A' A, A' G SAT* and A C A'. To require 

A, A! G SAT* is convenient because the reflexive elements of E* are now exactly 
the saturated sets: A G SAT* A E* A. The notion of saturated set 

SAT^'^^'^ and inclusion for higher kinds is defined by induction on the 

kind. Let IF, T' G SAT” — > SAT” be set-theoretic functions. 

T T' T{Q) E” T\Q') for all E, Q' G SAT” with Q E^” Q' 

T G SATP”^” T T 

Here, we used the abbreviations 

g c+« g> g g> ^ 

g g' g' g^ 

g g' g g' and g' E” G- 

(An easy induction on n shows that g E°” G' implies G = G' , but the present 
definition is more suitable for a uniform treatment of all variances in the proofs 
to follow.) 

Each SAT” has a top element and infima: For the base kind, T* = SN and 
n* = ri; for higher kinds they are defined pointwise: Let iFj G SAT^”^” for 
each i G /. Then T^”^” G SAT^””^” with T^”^” (G) := T” , and flfer" ^ 

SAT^”^” with Ti){G) := nre/ 

(SAT”, E”) forms a complete lattice. 

By Tarski’s fixed-point theorem, each monotone operator IF on a complete 
lattice has a least fixed point IfplF. Indeed, given T G SAT“''”^”, we can define 
the least fixed point by IfplF := € SAT” | T{G') E” G}, i.e., as the least 

pre-fixed point of T, which, by the theorem, is indeed a pre- fixed point of T, 
and also a post-fixed point: IfplF E” lF(lfp J^). We will use Ifp to interpret fixed 
points fixF of wellkinded constructors F. 

3.2 Interpretation of Constructors 

In the following part we will define an interpretation G SAT” for each 

constructor of kind n, where 0 is a , ^ ^ for the free constructor variables 

in F. For convenience, a valuation 0 is a set-theoretical object which maps both 
constructor variables X to sets F and term variables x to terms t. Update of 
a valuation is written as, 6[X i— > F] resp. 6[x i-^- t]. We extend inclusion and 
saturatedness to valuations by defining: 

0 6»' 9{X) E^” 0'{X) for all G Z\ 

9 G SAT"^ 6» E*^ 
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Lemma 5. . 6 9', , 9 9', 9' 9, 9 9' , _ 6»' 9 

^ ^ , By induction on the generation of A. 

For the following definition and lemma which is the crucial part of this nor- 
malization proof, let Z\ h F’ : K. For 9 G SAT'^, we define the interpretation 
[[Fjg G SAT"^ by induction on the structure of F. Simultaneously we need to 
prove monotonicity of l-F]], the cases for definition and proof are given be- 
low. 

Lemma 6 (Monotonicity). , 9 9' ^ I-P'le 

For 9 = 9', immediate consequence of monotonicity is welldefinedness of the 
interpretation, [[FJ^ G SAT'*. 

Corollary 1 (p-Monotonicity). pA \- F : k ,9 9' 

Me 

, , . ( . , , ,, . j In case p = + the corollary just restates monotonicity 

(Lemma 6). If p = — then 9' 9 by Lemma 5. Using monotonicity, [[F]]^ C'* 

[[Fjg. This is by definition equivalent to [[FJ^ [[FJ^ . If otherwise p = o, 

then by Lemma 5 both 9 9' and 9' 9. By monotonicity [Fjg C'* [[Fjg 

and [[F]g C'* |Fjg which entail by definition |Fjg C°'* [[FJ^ . 

, , , ' - 1 1 ' ; ' ■ 1 ; / 1 1 ' induction on the shape of F. 

— A \- X ■. K.. Set [[Arjg := 9{X). By assumption, X^*^ G A with p G {+,o}. 

The requirement 9 9' implies 9{X) C'* 9'(X), hence [[Ff]]^ C'* [Aljg by 

definition. 

— Z\ h XX'P'^. F : pK k' . The interpretation is a set-theoretic function 

IXXP-.Fjg G SAT-* ^ SAT" , IXXP'^. Fjg{G) := . To show mono- 

tonicity, assume G,G' G SAT'* with G E^'* G' ■ By inversion of the typing 
derivation, A,XP'^ h F : k', and, since 9[X i-^ G] 9'[X i-^ G'], by 

induction hypothesis C'* [[Fjg j. Hence, [[AX?"*. F]]^(5) C'* 

\XXP'^.F\g {G') by definition. To conclude, [[AAl^"*. FJ is monotone. 

— Z\ h FG : k'. Set [[FGJg := [[F']g([[G]g). Monotonicity and welldefinedness 
can be seen as follows. By inversion of the binding derivation, A \- F : pn 

k' and pA \- G : k. Assume 9 9' . By the first induction hypothesis, 

I-FJlg ^Fjg . By the second induction hypothesis, with Corollary 1, 

[Gle E^'* [[GJg . Putting things together, [FJ^^GJ^) C'* Me (Me ). 
which by definition entails our goal. 

— A\- A ^ B : Set [[A ^ B\g := |A]]g ^ By inversion, —A FA:* 

and A h F : By induction hypothesis and Corollary 1, |A]]g [[A]]^ , 

hence [[A]g C \A\g. Again, by induction hypothesis, \B\g C* [[.Ble ? hence 
{Big E \B'\g Together, [[A ^ B'\g C [[A ^ B'\g . Since the functional 
construction is saturated, we conclude with [[A ^ F]g C* [[A ^ . 
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- Zi h A : Set |VX« Ajg := fl^eSAT- By inversion, Z\, X°« h 

A : *. For arbitrary T G SAT'*, 9[X T\ Q'\^x i— > T\, hence 

C* |A]]g [x^x\ by induction hypothesis. This entails [[VX'*. A\g C* 
|VX'*. AJg by monotonicity and saturatedness of the infimum. 

— Z\ h fix F' : K. Set [[fixFjg := IfpdF'J^). By inversion, Z\ h F' : +k 

K, hence, by induction hypothesis, T := [F'Jg G SAT^'*^'* is a monotone 
operator on SAT'*, and by Tarski’s theorem the least fixed-point IfpX G SAT'* 
exists. To show monotonicity, we assume Q O' and define T' := |F’]]g . 
By monotonicity of [[F], T T' . In particular, T{Q^ C'* T'{Q) for 

every Q G SAT'*. Since IfpF is a monotone function in its argument F, we 
are done. □ 

The interpretation is compatible with substitution and constructor equality, 
as we show in the following lemmata. 

Lemma 7 (Soundness of Substitution). Z\,X^'* h F : k' . pA h G : k 

, I[G/X]Fi = [[Fi[^^jcj^,„ ,, 0 gSAT^ 

^ ^ , By induction on the structure of F. 

Lemma 8 (Soundness of Equality). , A \- F = F' : k ^ [G'Jg = [[F']]^ 
,, ,, 6» G SAT*^ 

^ ^ , By induction on constructor equality, using the previous lemma for the 
first computation rule. 

3.3 Interpretation of Terms 

To complete our model, we define an interpretation (|t|)ti of terms and then show 
(|t|)0 G for welltyped terms A\- t ■. A and sound valuations 9. For wellformed 
contexts A ext a valuation is ^ ^ ^ , 0 G [[Zi]], if 6* G SAT"^ and 9{x) G [[AJg for 

each {x:A) G A. The term interpretation (|t|)0 is simply the term t itself where all 
free variables x have been replaced by their value 9(x) in valuation 9. Note that 
theses values are strongly normalizing for sound valuations already; it remains 
to show that the full term (|f|)e is strongly normalizing for well-typed 9. This is 
a consequence of the following theorem. 

Theorem 1 (Soundness of Typing). , Z\ h t : Zl . 6* G [[Z\] ^ (|t|)e G 

Me 

^ ^ , By induction on Z\ F t : A. Note that by Lemma 4 the context A and 
the type A are wellformed if the typing judgement is derivable. Since our term 
language is just pure lambda calculus, the proof is standard, for the rule of type 
equality use Lemma 8. 

Corollary 2. , Z\ h t: A , t ^ ^ ' 

^ ^ , By Theorem 1 , choosing a valuation 9 with 9{X) = T'* for all X^'* G 
A and 9{x) = x for all {x : B) G A. This valuation is sound since the type 
interpretation \B\g is saturated, hence, contains x. 
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4 Primitive Recursion for Heterogeneous Datatypes 

In this section, we propose a second way to equip System F“ with fixed points 
of higher rank. Therein, we follow Mendler [Men87] who also — besides consid- 
ering type equations in System F — gave an extension of F by least and greatest 
fixed points, together with elimination schemes which we refer to as Mendler 
(co)recursion. We carry Mendler’s schemes to higher ranks and define a system 
MRec‘^ as an extension of F‘^ by least fixed points of type constructors, also called 
higher-order inductive types. In contrast to Fix“ which possesses -recursive 
types, MRec“ is in the style of ^ ^ -recursive type systems and has explicit in- 
troduction and elimination terms for inductive types. In analogy to Splawski 
and Urzyczyn [SU99] we conjecture that MRec“ has no reduction preserving 
embedding into F“. However, it embeds into Fix“, as we will show in Section 5. 

Our starting point is Curry-style System F‘^, enriched with unit type 1, bi- 
nary products A X B and sums A + B and the usual term constructors: () for 
the inhabitant of the unit type, fstr and snd r for pairs and left and 

right projection, and init, inrt and case (r, x.s, y.t) for left and right injection 
and case distinction. Note that there are no polarized kinds and no fixed-point 
constructors. An exposition of the exact rules for typing B \- t \ A and reduction 
t — > t' can be found in the appendix of Abel et al. [AMU03]. Since F“’s notion 
of constructor equivalence is just plain /3-equality, we even identify constructors 
with their /3-normal form on the syntactic level. 

4.1 Definition of System MRec“ 

For every kind k of F“, we add the constructor constant of kind (k ^ k) ^ k 
to the system of constructors of F‘^, denoting least fixed-point formation. The 
term system of F“ is extended by two families of constants: in” (fixed-point 
introduction) and MRec” (fixed-point elimination) for every kind k. In order to 
give their types, we need a notion of constructor containment: Every kind k can 
uniquely be written in the form ki short k —>■ *. Define 

F G:= VX”. FX ^ GX : 

for constructors F,G:k = k^*. The typing of the constants can now be given 
by in” : VF”^” F(/r”F) C« and 

MRec” : VF”^”VG”. (VA” A C” /x”F ^ A C” G ^ F A C” G) ^ /x”F C” G. 

The notion — > of reduction for untyped terms is extended by the additional 
basic reduction rule of primitive recursion 

MRec” s (in” t) — s id (MRec” s) t, 

where id := Xx.x is the identity. Intuitively, subject reduction still holds because 
the type VA”. A C”/i'^F ^ X C”G— >FA C”Gof the term s is instantiated 
with the fixed-point constructor /i”F itself. Therefore, the identity id qualifies as 
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first argument to s. In general, the transformation from the blank type X back 
into the fixed-point, i.e., of type X C” which is the first formal argument 
of s, provides access to the predecessor of the recursion argument. This is the 
feature which distinguishes primitive recursion from iteration. 

For K = *, we have just restated Mendler’s rules for recursive types [Men87]. 
At this point, let us remark that Mendler-style inductive types — although 

not observed by Mendler — do not require positivity for F. This contrasts with the 
recursive types of Fix“. It also contrasts with formulations of primitive recursion 
in conventional style that have to rely on positivity or, less syntactically, on a 
monotonicity requirement such as that in [MatOl] for k = * or * ^ 



4.2 Example: Redecoration of Finite Triangular Matrices 

As a non-trivial example of the use of MRec“ for heterogeneous datatypes, we 
consider a redecoration operation for the diagonal elements of finite triangular 
matrices. In previous work with Uustalu, we have treated redecoration for ^ ^ 

triangular matrices by higher-order coiteration [AMU03], and the finite ones by a 
computationally unsatisfactory encoding of recursion within iteration [AMU04]. 

Fix a type F : * of matrix elements. The type TriA of finite triangular 
matrices with diagonal elements in A and ordinary elements E can be obtained 
as follows, with k1 := * ^ *: 

TriF := A x (1 -F X (F x A)) : k1 ^ k1 

Tri := ^”^TriF : k1 



We think of these triangles decomposed columnwise: The first column is a 
singleton of type A, the second a pair of type F x A, the third a triple of type 
F X (F X A), the fourth a quadruple of type F x (F x (F x A)) etc. Hence, if 
some column has some type A' we obtain the type of the next column as F x A'. 
By taking the left injection into the sum 1 -F . . ., one can construct an element 
without further recurrence, the last column. We can visualize triangles like this: 



E 


F 


F 


A 


F 


F 




A 


F 






A 



F 

F 

F 

F 

A 



The vertical lines hint at the decomposition scheme. In general, elements of 
type Tri A are constructed by means of 

sg := Aa. (a, ini 0) : VA*. A — > Tri A 

cons := \a\t. in'^^ (a, inrt) : VA*. A ^ Tri (F x A) ^ Tri A 



The function top : VA*. Tri A ^ A = Tri AA*. A that yields the topmost 
diagonal element, is defined as top := MRec”^(AiA ^ Xp.htp). As reduction 
behavior, we get 

top (sga) — a 
top (cons at) — a 
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If we remove the first column of a triangle Tn A, we obtain a trapezium 
Tr\{E X A). We can get back a (smaller) triangle if we cut off the top row of the 
trapezium using the function cut : VA*. Tri {E x A) ^ Tri A. The exact definition 
of this function, which is like fcut in [AMU04, Example 34], has to be omitted 
due to lack of space. 

Let T A denote some sort of A-decorated (or A-labelled) trees. . ^ 

[UV02] is an operation that takes an A-decorated tree t : T A and a redecora- 
tion rule f : T A ^ B and returns a B-decorated tree t' : T B. For triangles, 
redecoration works as follows: In the triangle 

AE E E E 
AE E E 
AE E 
A E 
A 

the underlined A (as an example) gets replaced by the B assigned by the redec- 
oration rule to the sub triangle cut out by the horizontal line; similarly, every 
other A is replaced by a B. 

For the definition of redecoration, we will need a means of lifting a redecora- 
tion rule on triangles to one on trapeziums. 

lift := A/At. (fst(topt), / (cut t)) 

: yA*WB*. (Tri A ^ B) ^ Jr\ {E x A) ^ E x B 

For a detailed explanation in which sense this is a lifting, see [AMU04]. Fi- 
nally, we can define redecoration 

redec : VA*VS*. Tri A (Tri A ^ B) Tri B = Tri G 

with G := XA*yB*. (Tri A — > i?) Tri B. The definition makes essential use of 

primitive recursion in that it also uses the variable i : X Tri in the body of 
argument to MRec”^: 

redec := MRec'^^ ^AiA . XtXf. case (snd t, 
w-sg(/(sg (fstt))), 

r. cons (/(cons (fstt) (ir))) ( . r(lift/)))^ 

Its reduction behavior is easy to calculate: 
redec (sg a)/ — >+sg(/(sga)) 

redec (cons or) / — >+ cons (/ (cons ar)) (redec r (lift /)) 

The reader is invited to compare this concise behaviour with the one obtained 
in [AMU04] within definitional extensions of system F“ that therefore can only 
provide iteration schemes and no primitive recursion. Notice that the number of 
reduction steps does ^ ^ depend on the terms a, r and / since these may just be 
variables. By a modification of the definition of redec above, it is easy to define 
a constant-time predecessor operation on triangles (a left inverse of for Tri 
even with respect to reductions of open terms): The access to r in the cons case 
of the reduction will be type-correct by using (f r) instead of r, just as for redec. 
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5 Embedding of Mendler- Style Recursion into Fix" 

In this section, we prove — via an embedding into Fix‘^ — that Mendler recursion 
for higher ranks is strongly normalizing. The proof proceeds in two steps: First, 
we show that all constructions of MRec“ can be defined in Fix“ such that re- 
duction is simulated. Then we map each welltyped term of MRec“ onto a still 
welltyped term of Fix“ of exactly the same shape (the translation is purely ho- 
momorphic). Thus, each infinite reduction sequence of MRec“ would map onto 
an infinite sequence of Fix“, which is a contradiction to the result of Section 3. 

Products and sums can be defined in Fix“ via the standard impredicative 
encoding (see Example 1). The interesting part is the definition of least fixed- 
points within Fix“. We give their definition only for kinds carrying no 

polarity information, i.e., kinds of the form k = ok — > *. This suffices because 
their purpose is just to serve as images in the translation of the least fixed points 
in the polarity-free system MRec‘^. We define := fwfpp with 

<Pf ■■= AF+'"AX°'"VG'". (VX”. X Y ^ X C'^ G ^ F X C'^ G) ^ G X. 

It is not hard to see that ^°(°'«^«) p <pp ; ^ ok ^ since the variable 

Y occurs twice to the left of an arrow in the body of the definition of Thus, 
for any F : ok ^ k we have <Pf ■ +k k, and /r” : o(ok ^ k) ^ k as required. 

Once we have found a suitable representation of in Fix“, the definition of 
elimination and introduction falls into place: 

MRec'* := AsAr. r s 

:= XtXs. s id (MRec'^s) t 

Note that the right-hand sides do not depend on k. These definitions yield 
simulation of primitive recursion within Fix“, as we can confirm by performing 
four /3-reduction steps: MRec” s (in'^ t) — s id (MRec” s) t. 

Now, System MRec“ can be translated into Fix“ by replacing each arrow 
kind K ^ k' hy OK ^ k' , and each annotated abstraction AX'^ by AX°”. All 
other syntactical constructions remain unchanged. Certainly, we can only map 
the constants in'^ and MRec"^ of MRec“ onto their defined counterparts in Fix“, 
if the types of source and target match. This can been seen by type-checking, 
for which the following chart might be an aid. 



Theorem 2. 

. to 



. ^o{OK — >k) 

s : VX«. X ^^F ^ X G ^ FX G, 
r : ii'^FX = <PF{^J-'^F)X, 
t : F (fi'^F) X 

h rs : GX 

h As. s id (MRec”s) t : <pF{^^^F)X = fx'^FX 

. , MRec“ , , , , , , ,, 

/ / / / ^0 ■ • ■ , ; ' 



, By Corollary 2, using the abovementioned translation into Fix“. 
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6 Conclusion and Future Work 

We have presented two systems for total functions over higher-order and nested 
datatypes where the predecessor runs in constant time. The first system, Fix“, 
supports positive equi-recursive types of higher order. No primitive combina- 
tor for recursive functions is built in, but due to the strength of equi-recursive 
types in combination with impredicativity, customary recursion schemes can be 
defined. One instance is Mendler-style primitive recursion MRec, which for ex- 
ample can be used to define a redecoration algorithm for triangular matrices. 
We have shown that Mendler-style primitive recursion can be simulated in Fix“ . 

This simulation could have been extended to also account for coinductive type 
constructors, by defining Mendler-style corecursion for higher ranks in Fix“. A 
naturally corecursive program is substitution for the infinite version of de Bruijn 
terms coded as a nested datatype [AR99, BP99b]. Due to space restrictions we 
have to leave this direction to future work. 

The systematic use of nested datatypes to represent datastructures with in- 
variants is rather new [Hin98] (but also see [Oka96, Sections 10, 11] for earlier 
work). As an example, Hinze [HinOl] implemented Okasaki’s functional version 
of red-black trees [Oka99] by help of a nested datatype to actually ensure the 
balancing properties of red-black trees by the type system. Most algorithms for 
nested datatypes published so far require just ^ ^ , hence can be imple- 

mented in the framework of generalized folds [BP99a] or efficient folds [MGB04] 
or Mendler iteration [AMU04]. As more classical algorithms will find functional 
implementations using nested datatypes, we imagine many more examples re- 
quiring primitive recursion for higher-rank datatypes, and thus may infer termi- 
nation of the respective algorithms. 
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Abstract. A simple type a is retractable to a simple type t if there are 
two terms C \ a ^ t and D ■. t ^ a such that DoC =0n Xx.x. The paper 
presents a system which for given a, r derives affine retractability i.e. the 
above relation with additional restriction that in C and D every bound 
variable occurs at most once. A derivation in the system constructs 
these terms. What is more, the complexity of building affine retrac- 
tions is studied. The problem of affine retractability is NP-complete even 
for the class of types over single type atom and having limited functional 
order. A polynomial algorithm for types of orders less than 3 is also 
presented. 



1 Introduction 

The notion of isomorphism, which renders the idea of identicality, appears very 
frequently in many formal theories. In the simply typed lambda calculus it is de- 
fined as follows: two types a, r are isomorphic if there exists terms C of the type 
a ^ T and D of the type t ^ a such that DoC =isri Xx.x and C o D Xx.x. 
This notion has been studied since 1980s, see e.g. [BL85]. A complete and effec- 
tive characterisation of the relation is given in [Cos95]. Moreover, the relation of 
type isomorphism has already been successfully used in tools supporting search- 
ing in software libraries e.g. [Cos95, Rit91]. 

The notion of retraction is a generalisation of isomorphism. In this case only 
DoC =j 3 rj Xx.x is required in place of two abovementioned equalities. This 
category theory based definition corresponds to a concept of coding — everything 
that is encoded by means of C can be decoded back by D without any loss of 
information. 

The knowledge concerning type retractions is undeveloped even for very 
simple formalisms, like the simply typed lambda calculus. There is a complete 
and effective criterion of retractability in the calculus, but with respect to the 
/3-reduction [SU99]. There are also several sufficient conditions for /3?7-reduction 
based retractions in [dPS92]. The last paper includes a complete characteri- 
sation of ^ ^ ^ ^ in the lambda calculus with a single type atom 
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where the word ^ means that in terms C, D each bound variable is used 
at most once. A paper by Padovani [PadOl] contains an algorithm that decides 
full jSrj retract ability in the simply typed lambda calculus with types that have 
a single type atom. In a paper by Regnier and Urzyczyn [LROl], the authors 
give characterisations of (3rj retractability in the lambda calculus with many 
type atoms, but these characterisations are either not effective or not com- 
plete. However, they give an effective and complete characterisation of affine 
retractability. 

Type retractions (but in a richer type system) have already been used to 
prove that recursive polymorphic types cannot be encoded in the polymorphic 
lambda calculus A2 [SU99]. Type retractions may, in addition, turn out to be 
useful as a method to find more general operations in software libraries — sim- 
ilarly to the foregoing applications of type isomorphisms. By Curry-Howard 
isomorphism, retractions can also be used in automated provers as a vehicle 
supporting the reuse of already proved subproblems. Each of these applications 
requires an effective method to generate a link between the existing infrastruc- 
ture (a software library, a library of proved lemmas) and the new requirement 
(a function to be found, a new formula to be proved). This link is provided by 
the terms C, D, mentioned in the definition of retraction. This paper presents a 
system for inferring . ^ . together with the accompanying terms 

C and D. 

There are two reasons that justify the restriction to affine retractions. First, 
the type retraction problem can be defined in terms of the higher-order matching 
problem. This can be done using the following equation Xx.X{Yx) = Xx.x where 
X, Y are unknown variables. The higher-order matching problem is known to 
be at least non-elementarily hard [Vor97], if not undecidable. Moreover, the 
construction by Padovani in [PadOl], which employs a special — known to be 
non-elementary — case of the higher-order matching problem suggests that the 
problem of finding retractions is highly intractable. Second, dealing with affine 
retractions is supported by the assumption that every transformation approved 
by a human must be fairly simple so that it can be understood. This kind of 
situation can occur in the afore-mentioned search in software libraries. 

This paper contains a proof that the relation of affine retractability is polyno- 
mial for types of order at most 3. This provides a tight bound on the tractability 
of the problem as the problem is NP-complete already for types of order 4. The 
latter result holds for the class of types with unbounded number of atoms. If the 
number of type atoms is bounded by a number fc > 1 the problem is NP-complete 
for types of order 5. If there is only one type atom the problem is NP-complete 
for types of order 7. 



2 Basic Definitions 

We assume that the reader is familiar with the simply typed lambda calculus. 
Thus we only sketch the basic definitions in order rather to settle the notation 
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Fig. 1. A schematic picture of ui — > (T 2 ^ ^ (Tk — > a 



than thoroughly introduce the notions. A more gentle introduction can be found 
e.g. in [Bar92]. 

The simply typed lambda calculus (in the Church fashion) has terms of 
the form MN or Xx : a.M. The A operator binds the variable x in the body of M 
so we deal with the notions of free and bound variables together with the a equiv- 
alence relation. We identify a-qui valent expressions. The types in A^ are built 
using basic types from a nonempty set B. The types are constructed by means of 
the ^ operator e.g. a ^ t. The types are assigned to terms by means of a type 
inference system. Rules of such a system can be found in [Bar92] . We sometimes 
use a notation Zl — > a, where Z\ is a set or a sequence of types {(5i, . . . , <5„}, to 
denote (5i — > • • • ^ ^ a. The types are categorised by an order. The order is 

defined as ord(a) = 1 for a G and ord(cr — > r) = max(ord(CT) -I- l,ord(r)). The 
set of types having the order k is denoted T(i^ . If cr = cti ^ ^ ^ a or 

a = a then . (a) = a. All the types cti, . . . , cr„ are called , , ^ ^ of cr. 

We also adopt a method of representing types on pictures which is more 
convenient in dealing with type retractions. The idea of the representation is 
presented on Fig. 1. 

The simply typed lambda calculus is accompanied by a notion of evalua- 
tion. This is called /3-reduction. This relation is generated by the basic rule 
{Xx : a.M)N — M[x := A^] where [x := N] denotes the capture avoiding sub- 
stitution. This relation is extended with the r/-reduction reduction generated by 
{Xx : a.Mx) — M where x does not occur freely in M. The combination of 
the two relations is denoted by — We use also the reflexive transitive closure 
— of — >/ 3 r) as well as the least equivalence containing — >/ 3 r;. 

Definition 1. (retracts) 

We say that a type cr is a of a type r, and we write cr^prjT, iff there exists 

a pair of terms C : a ^ t and D : t ^ a such that DoC =/sri la- = Xx : a.x. We 
say that a type cr is an ^ of a type r, and we write cr r iff (7, D 

are affine terms (i.e. terms with at most one occurrence of each bound variable). 
We usually omit subscript (3r] and write < or 

The problem of finding affine retracts is defined as follows: 

Definition 2. (problem of affine retractions) 

types a, r. 

is there a pair of affine terms C, D such that C : a ^ t and D : t ^ a 
such that D o C =/ 3 i, Iff? 



208 



A. Schubert 



(Ax) 

(H) 

(N) 

(D) 



a<^ a 

a a' , T t' 
a — > T a' — > r' 

a T 
a S ^ T 

Ai ^ a (Ti, ■ • ■ , An ^ a<^ an 
Ai U • • • U An ^ a <1 {X'l ^ ai ^ a, ■■■, En ^ an 

Fig. 2. The syntax directed system 



a} 



a 



2.1 A System for Inference of Retraction Terms 

We consider a system to infer inequalities The system was proposed by 
Regnier and Urzyczyn (RU) and is presented at Fig. 2. The most important 
property of the system is the lack of any cut-like rule. 

The system RU is a good starting point in design of our term system for 
deducing affine retractions. We modify the system RU since its original form 
has several notational conveniences which are inadequate in the context of gen- 
eration of retracting terms. The term system presented on Fig. 3 infers sequents 
\- C • D : a T such that C, D correspond to terms certifying the retraction 

a T. 



(Ax) 

(H) 

(N) 



h la • la : a a 

\-Ti»T2:a<^ a', h • Tj : r < W' 
h Ha,T,a ,T T[T2 • Hn ,t a ^ T a' ^ t' 

h Ti • T2 : cr r 

h Na,T,sTi • : a <3^ E ^ T 



(D) 



Ti»T{ : E ^ a<^ r', 
h T2 • T2 : cr < ^ r 
head(r') = head{a) = head(r) = a 
h DT1T2 • D'T[T2 :E^a<^{Ai^T'^A2^a)^T 



(P) 



\- T • T' ■. a\ ^ ^ an 

h P:^T • P^^T' ■. an,(^) ^ 



^ a ^ ^ Tm ^ a 

^ ^Tri(n) ^ 

"^7r2(l) ^ ^ ’^7T2(Tn) ^ ^ 



Fig. 3. The term system for linear retractions 
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The rule (D) in the system RU and in the term system are a little bit difficult 
to grasp. Figure 4 may help in understanding of them. 






Fig. 4. The rule (D) from RU with emphasised deep inequality 



Definition 3. (terms from the term system) 

We define a transformation lambdify(-) for the retraction combinators used in 
Fig. 3 

~ lambdify(Io-) = Ax : a.x, 

— lambdify(Ffo-,T,iT ,t ) = 

ATi : T ^ t' ,\T 2 : a' — *■ a.Xf : a — *■ t.Xx : ct'.Ti(/(T 2 x)) 

— lambdify(7V^^T-^i;) = XT : a ^ r.Xf : cr.Axi : CTi . . . x„ : cr„.T/ 
where S = {a \, . . . , <t„} 

— lambdify(7V^^^^^) = XT : t ^ a.Xf : S r.T{fzi ■ ■ ■ Zn) 
where S = {ai, . . . , <t„} and z, : fJi for f = 1, . . . , n. 

— lambdify(D) = 

ATi : (A) — > a) ^ t' .XT 2 : a ^ t. 

Xf : S ^ a.Xy : Ai ^ t' ^ A 2 ^ a. 

AZl . Tl . . . Zp . Tp. yc^ Cq^ Cq^ 

— lambdify(D') = 

AT{ a.XT^ : t ^ a. 

Xg : (Z\i ^ t' ^ Z\2 — > a) — > t.Xxi : pi, . . . , Xr ■ Pr- T^D' 
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where 
















T : 


= Tl ^ • 




a, 










^1 = 


= {5l,.. 


• I } ! 


^2 = 


- {<^9i-|-li ■ 


■ ■ I Sq2 } , 


II 


, ■ ■ . , Pr} 


D = 


= TiAyi 


■■ Pi ...yr 


■ Pr 


■T 2 {fyi--- 


yr)zi ■ ■ ■ 


Zp, 




Ty = 


= gXzi : 


Si... Zq, 


■ Sqi 


.Xy : t'.Xz 


91-1-1 : Si 


. . . Zq2 '. Sq2 


■T[yxi ■ ■ 



with Cl, ... ,Cg^ being fresh variables of the types Sk for k = 1 , . . . , ( 72 - 
- lambdify(P;^i) = 

Xf : a ^ T. 

Xx . ^ ‘ ’ ’ ^ ^7Ti (n) ^ 

Xy-ir2{l) ■ '^7T2{1) ■ ■ •y7T2{m) ■ '^7T2{m)- 

flXvi :ai...Vn-. cr„.a;t;^i(i) • • • ■ ■ ■ Vm 

where tti, 7T2 are permutations of the sets {1, . . . , n} and m} respec- 
tively whereas <t = cti — > • • • — > cr„ — > a and r = ri — > • • • ^ ^ a. 

We omit type parametrisation of D,D' and as suitable notation is over- 
whelming, but we implicitly assume that these constants are annotated as follows 

D, D' with if — !■ cr, and (Z\i — > r' — » A 2 ^ a) ^ t] 

with CTi ^ > an^ a, and n ^ > ^ a. 

Proposition 4. (soundness) 



h Ti • T[ : CTi < Vi, • • • , h T„ • : (T„ r„ 

h T • T' : cr r 

. , - ^ Ti • Tl : ai n 

lambdify(Ti), lambdify(T/) ^ ai ^ , 

lambdify(T), lambdify(T') ^ a ^ t 

^ ^ , The proof is by cases according to the rules of the system from Fig. 3. □ 

Theorem 5. (completeness) 

, T,r , a , ^ , 

, ' ■ , T,f\ , , , . , . , 

lambdify(T), lambdify(T') ^ a ^ t 

^ ^ , The proof is by induction with respect to the size of cr r. □ 

2.2 Permutations of a Derivation 

The term system allows us to perform several changes in particular form of a 
derivation. The possibilities are summarised in the following Prop. 6. 

In order to make the formulation of the proposition easier we introduce a few 
conventions for referring to nodes in a derivation. For each rule on Fig. 3 the 
sequents above the rule line are called , of the rule while the sequent 

below the line is called a ^ ^ . In the rule (H) the first sequent above the 
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rule line is called a, , , , ^ of the rule whereas the second one is called a 

, , ^ . In the rule (D) the first sequent above the rule line is called the 

left premise and the second one is called the right premise. 

Proposition 6. (permutations inside derivations) D , 

, CT r 





, D' , 




, , D" ,, 




r ^ 


* 111' * 


( ). 


- y - D'‘ 




b ^ 


\ D' 
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y y - D' 
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^ ^ , We leave a routine case analysis for the reader. □ 

Note that the rule (D) may be replaced by the rule (N) in case the former in 
has a sequent a a where a € B as the left premise. 
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3 NP-Completeness 

Theorem 7 . (affine retractions are in NP) 



^ ^ , The problem of affine retractions immediately reduces to the problem 
of finding an affine solution to the following higher-order matching equation 
X{Yx) = X where X, Y are unknowns of the types t ^ a and a ^ t respectively 
and a; is a constant of the type a. The problem of solving such equations has 
been proved NP-complete in [WD02]. 

A more direct argument could rely on the observation that in the system on 
Fig. 2 for each rule the different inequalities in the assumptions of the rule can 
be constructed from disjoint parts of the inequalities in the result and no part 
of the result is duplicated in the assumptions. Thus each derivation according to 
the system has only polynomially many uses of these rules. This means that it 
is enough to guess such a polynomial tree labelled with the rules and then check 
if the tree is a proper derivation. □ 

3.1 NP-Hardness 

We present here NP-hardness proofs for three languages of types. In the first one 
we deal with unbounded number of type atoms. In the second one the number 
of atoms is bounded by a number fc > 1. In the third one there is only one 
type atom. In order to reuse a part of the NP-hardness construction we have to 
define a few notions which describe requirements on the language of types which 
enables the NP-hardness construction. 

We deal with families of sets of types of the form A = {^i}iGN where \Ai\ = i. 
Such families are called here for short , We define a' = a ^ a for 

^ ^ UiGN 

Definition 8. (properly isolated family) 

We say that a graded family is , > - ii^ 

each ctq , (Tq,j , ... , (Tq,„ , , . . . , € Ai we have 

1. if ctqj then (Tq,i = 

2. if (Tc —>■ a then for some j we have (Tq, ; 

3. ^ ‘ ‘ ’ ^ ^an ^ ^3 

4. if (Tai — > • • • ^ aa„ ^ a ^ • • • — > (7/3^ — > a then {a \, . . . , «„} C 

{/3i, . . . , (3rn\ where C is the multiset inclusion; 

5. if <Ja (<7ai ^ • • • — > <Ja^ ^ o) — > —>•••—> a ^ o) — > o then 

Get € {o'q.j , . ■ . , CTq,^ , , ■ • ■ , 0'/3m }■ 

The proof of NP-hardness relies on a reduction of the 3-SAT problem to the 
problem of affine retractions. First, we present a translation of 3-SAT problem 
instances into instances of the affine retractions problem. Then, we show that 
the instance of the former has a solution if and only if there is a pair of terms 
certifying retractability for the translation. 
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We fix a set X of denumerably many propositional variables. Let <j) be an 
instance of 3-SAT. The formula has the form 

n 

4 >= ( 1 ) 

i=l 

where (j)i = V yi ^2 V yi^s with yij = x or ytj = ~^x for some x € X. Let 
FV((/>) = {x\, . . . ,Xm} be the set of all variables occurring in (j) and let Yq = 
{a:i , . . . ,Xm, ~‘Xi, ■ ■ ■ , The set Yq is called the set of literals in (j). For each 

literal y = ~^x we define ~^y to be x. As usual, a valuation v : X ^ {0, 1} allows 
us to define a value of the formula (p. This is done by induction on the 
structure of (p according to the usual semantics of the connectives A,V, and 
Suppose we have a properly isolated family {Ai}jgN. Given the above-men- 
tioned notation for subformulae of p, we fix the notation for elements of A 2 m+n 
as 

A2m+n — ; • ■ ■ : ^-’Xi : • ■ ■ j ^01 ; * ■ * 5 } ■ 

Let By = {pi I pi is a subformula of p with pi = yiV y 2 ~^ Vs, 

Vi,y 2 ,y 3 e Yo, and y is one of yi,?/2,y3}- 

For each literal y €Yq, we define TSy = <x^y — > ^ a where 

By = {pi ^, . . . , pi^}- This allows us to define tb^ = tb^ ^tb „ ^ a. Moreover, 
we define for x G FV (p) a type Tx = cr'^. ^ a{x a- 

This allows us to formulate the result of translating p into an instance of the 
affine retractions problem 

— O'xx 
^(pl 




Lemma 9. (a valuation induces a derivation) 

: A ^ {0,1} . . , v(P) = 1 , 

, - , , CF<f, T-0 

^ ^ In order to prove the lemma we have to generalize the lemma so that it 

holds for wider range of We say that types cr<p,T'^ are an acceptable coding 

of p if 0-0 is as before and has the form = Tx^ — > • • • ^ Tx^ 

■ ■ ■ ^ ^ ^ x'b ^ ^ a and t'b^ = a^y 

• • • — > ^ Pi ^ Pi ^ a for y G Yq with pi, . . . , pi being arbitrary types 

and By = [pi ^, . . . , pi^}- Moreover, we say that a coding is acceptable if in t'b^ 
subtypes pi are permuted with the types cTq. 

We produce a derivation for where are an acceptable coding 

of p by induction on the number of variables in p. Note that cr^^Tff, are an 
acceptable coding for p. First, we may permute using (P) so that we 

obtain 

= <Xx^ 0-0, = Tx^ in case r;(a;i) = 1 

<xl = cr^xi cr^, = Tx, t'^ in case r;(a;i) = 0 



( 3 ) 
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Fig. 5. The application of the rule (D) in order to remove the first variable in (3) 

We apply the rule (D)^ and obtain the left premise cr'^^ (or 

— see Fig. 5. This derivation can be done by the rule (H). 

In order to construct a derivation for the right premise of (D)^ we permute 
so that we obtain 

<y^y ^ > CT0,^ ^ cr^ ^ rf (4) 

where y is either x\ or -^x\ and {^i^, . . . , (j)ir} = We apply the rule (D)^ as 
on Fig. 6. The left premise of the rule can be derived by repeated application of 
the rule (H) to get rid of cTq followed by an application of (N) to get rid of Pa. 





Fig. 6. The application of the rule (D) in order to decompose inequality (4) 

The types cr^, are an acceptable coding of a formula cj)' which is constructed 
from (j) by erasing all the subformulae from By. Thus we obtain by induction 
a derivation for cr^ This derivation forms the lacking derivation for the 

right premise of the rule (D)^. □ 

Lemma 10. (a derivation induces a valuation) 

. CT0 T0 , 

V{(j}) = 1 



u : X ^ {0,1} 
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^ ^ , In order to prove the lemma we have to generalize it to cover a wider class 
of terms cr^ and r^. We say that for a given formula 4> and a partial function 
Vo : X {0, 1} types are an acceptable coding for <j),v if 

^4>l 

where {x\, . . . ,Xm\ C FV(^)\Dom(?;). We prove the following generalisation of 
our lemma: 

, CT0 , _ , , , I , , , , , -y : X ^ {0, 1} 

' , '*^0 , - v {( l ^) = 1 

The proof is by induction on the number of variables in FV(^)\Dom(yo)- If 
there is a derivation for cr^ then by Prop. 6 we may assume that it starts 

with the rule (P) followed by a certain number of the rules (H) and (D) applied 
to the subsequent right premises with a single (N) rule at the end followed by the 
axiom. Moreover, we assume that no rule (D) can be replaced by an equivalent 
rule (N). Derivations having this shape are called 

For such derivations the first (P) rule may be followed by 

1. the rule (H)^ in which the left premise is Ux^ Ri for some a, or 

2. the rule (D)^ in which the left premise is 

^ ^ ^ ^OLn ^ ^ ^ ^ ^ ^ 

for certain ai , . . . , Pi, , Pm, or 

3. the rule (N)^. 

In case (I) we have two options either (a) Tq, = or (b) • This is 

guaranteed by the condition (5) on the properly isolated family. 

In case (l.a) we have Tq, = We extend vq to Vq so that ^ 0 (^ 1 ) = I- I^^ 
situation we may assume that the right premise of the rule (H)^ has a derivation 
which starts with the rule (P) followed by 

i. the rule (H)^ in which the left premise is cr^xi Ta or 

ii. the rule (D)^ in which the left premise is 

^ ^ > ^ a T/ 3 j ^ a or (5) 




iii. the rule (N)^. 

For the situation (l.a.i) we observe that this is possible only if a' = Xj or 
a' = Bx . The condition (2) on the properly isolated family implies that in the 
former case o! = xi. This is impossible, though, as is already used in the 
left premise of (H)^. The condition (5) on the properly isolated family implies 
that in the latter case Bx^ = Bx^ . As we got rid of both Ux^ and a^xi the right 
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premise of (H)^ is a formula which is an acceptable coding of (j) and Vq so by 
induction hypothesis Vq extends into a valuation v such that v((p) = 1. 

For the proof in the case (l.a.ii), we observe that the part (4) of Definition 8 
implies that ~^Xi € {/3i, . . . , /3m}- This is possible by an application the rule 
(D)^ either to or to ■ The former option is not possible since is 
already used in (H)^. The latter option implies that the inequality (5) is in fact 
o-^xi ^ CTqj — > • • • — > (7a„ ^ a ^ (70,^ ^ . . . — > ^ o where 

, 4>ir} — Bxi- The condition (4) on the properly isolated family implies 
that {«!, . . . , an} ^ ■ I 4>ir} (where the inclusion is taken as for multisets). 

This means that the right premise of (D)^ — possibly after an application of the 
rule (P) — has the form 



^X2 ^ 






^X2 ^ 


■ ^ '’'Xrr. 






■ ■ ^ ^ ~'Xm 




^ ‘ 


*■ 


a 


^ ■ 


■ ■ cr^.^ - 


a 









The variables X 2 , - ■ ■ ,Xm belong to FV((/>)\Dom(ug) so this pair of types is 
an acceptable coding of 4>. As this premise has its derivation, the induction 
hypothesis implies that Uq can be extended to a valuation v such that v{(j)) = 1- 

For the proof in the case (l.a.iii) we exploit the fact that the derivation is 
well- formed. This implies that the premise we consider has the form a ti 
■ ■ ■ ^ Tr ^ a. This is impossible though, as each ax on the left hand side of the 
original inequality is accompanied by a^x- 

In case (l.b) we have Tq = ■ We extend vq to Ug so that v'q{xi) = 0. In 

this situation the right premise of the rule (H)^ has a derivation which starts 
with the rule (P) followed by 

i. the rule (H)^ in which the left premise is a^xi Xa or 

ii. the rule (D)^ in which the left premise is 

^ ^CKI ^ ^ ^ Ct-n ^ ^ ^ ^ ^ ^ 

iii. the rule (N)^. 

The proof is similar to the one for the case (l.a), but we exchange the role 
of Tx^ and tb^^ ■ 

In case (2) the proof runs similarly as in the case (l.a.ii), but we have to put 
v'q{xi) = 0 and before stepping into the induction hypothesis we have to analyse 
the way a^x^ is handled. This is done by an analysis similar to the one in the 
remaining parts of the case (1). 

In case (3) we exploit the fact that the derivation is well-formed. This implies 
that the premise we consider has the form a ri — > • • • — > — *■ a. This is 

impossible though, as each Ux on the left hand side of the original inequality is 
accompanied by a^x- n 
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3.2 Properly Isolated Families 

Definition 11. (families of types) 

We now define three particular families of types. 

— A family of types A°° = is such that = {oi, . . . , a„} where 

for f = 1, . . . , n are distinct type atoms and each yf a where a is the atom 

used in Sect. 3.1. 

— A family of types = {A|}jgN is such that = {cti, . . . , cr„} where Ci for 

i = 1, . . . , n is defined as (7^ = a —>•••—!■ q —> 6 6 where 6 yf a 

■V' “V" 

n—i times z+1 times 

and b does not occur explicitly in the constructions from Sect. 3.1. 

— A family of types A^ = is such that where 

(Ti for i = 1, . . . ,n is defined as a i = (d' 2 n-i +2 ^i+i ^ a) ^ a where 

di = a ^ ^ a ^ a. 

'' ^ 

i times 

Lemma 12. (isolation) 

( ) . . A°° 

, , , (J 



A^ 

fc > 2 C‘J 



A^ 



^ ^ , The proof is by a routine case analysis. □ 

Theorem 13. (NP-completeness) 

> ! I ! ‘ ’ i l ‘ l - ^ i - ^ r k , ^ ^ k >2 

u \ \ - 7 ' . ' . , , O '' ' ,. 

^ , It follows from Lemma 9 and 10 that the existence of a properly isolated 
family implies NP-completeness. From Lemma 12 we know that a properly iso- 
lated family does indeed exist in each case. □ 

4 Polynomial Case 

Here we introduce polynomial algorithms that decide affine retractability for 
types of order 1, 2 and 3. We present them as separate procedures instead of a 
single one. This is because we want to analyse separately the running time of 
the algorithms. 

The algorithm for the order 1 is very obvious as we can only use the rule 
(Ax) in this case. 

Definition 14. (algorithm for the order 1) 

Let a = a and r = 6 be the input types where a, b are atomic. If a = & then the 
affine retractability holds else it does not hold. 
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The algorithms for orders 2 and 3 are based on the following observations. 

Proposition 15. (the rule (D) in low orders) 

cr, r _ ,, , 4 _ cr<^T 

^ , As the right-hand side has the order at most 3 the rule (D) may give only 
a term of the order 1 on the right-hand side. Thus we may have the left-hand 
side of order 1. However, in such an application of (D) the right premise can also 
be obtained by the rule (N). □ 

The algorithm for the types in T^ (the order 2) requires an additional ob- 
servation. 

Definition 16. (weight of types) 

For types of order 2 we introduce a weight function # : T^ ^ N® defined as 

#(cr)(a) = \{i \ a = ai ^ ^ an ^ b, and cr* = a}|. 

We use the order < on elements of N® defined as — / ^ p iff for each a€ B 
we have /(a) < g{a). 

Proposition 17. (the weight and <^) 

.ct,tGT^ -{a)= . (r) , cr < V #(cr) < #(r) 

^ ^ , Induction on the size of cr. □ 

Definition 18. (algorithm for the order 2) 

Let cr and r be the input types. If . (cr) ^ . (r) then the affine retractability 

does not hold. Otherwise, if #(cr) ^ #(t) then a r. 

Note that the above algorithm runs in time linear to the size of the input. 
The correctness of the below defined algorithm for the order 3 is based on 
Prop. 15 and the correctness of the algorithm for the order 2. 

Definition 19. (algorithm for the order 3) 

Let cr and r be the input types. If _ (cr) ^ _ (r) then the affine retractability 

does not hold. In case . (cr) = . (r) we construct a bipartite graph G = 

(Vi U V 2 , ^^) in which 

Li = {cTi I 1 < i < n and a = a\ ^ ^ an 

V2 = {ti I 1 < i < m and t = ^ ^ Tm 

E = {(cTj, Tj) I CTi Ti, ai G Vi, Tj G Vi} 

Now, we find a perfect matching in G. If there is one then a t holds 
otherwise it does not hold. 

Note that the construction of the graph takes 0{n^) where n is the size of 
the input and the size of G is 0{n?). The running time for a perfect matching 
procedure is 0{m^) where m is the size of an input graph (see e.g. Chap. 27 
in [CLR90]). This makes the overall running time 0(n®). 
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^ ^ ^ ^ ^ The results in this section close the algorithmic gap for type lan- 

guages with infinitely many type atoms. Formally, this is the kind of approach 
which is used in the currently used programming languages. Moreover, most of 
the currently used higher-oder functions have the order 3. 

Although, one may want to restrict types so that they have at most k type 
atoms for some reasonably high fixed number e.g. 10. Unfortunately, the problem 
of affine retractability is NP-complete already for types with 2 atoms and having 
the order 5. The author concjectures, though, that this problem is polynomial 
for types of the order 4. 

The algorithms presented here construct derivations for type retractions. The 
system on Fig. 3 can be used to compute retraction terms based on these deriva- 
tions. 

Acknowledgements. The author would like to thank Pawel Urzyczyn for point- 
ing out the problem and for discussions on it. Thanks also go to Damian Niwihski 
for help in preparation of the paper. 
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Abstract. We prove that higher-order matching in the linear A-calculus 
with pairing is decidable. We also establish its NP-completeness under 
the assumption that the right-hand side of the equation to be solved is 
given in normal form. 



1 Introduction 

The decidability of higher-order matching (which consists in determining whether 
a simply typed A-term is an instance of another one, modulo the conversion rules 
of the A-calculus), has been intensively studied in the literature. In particular, 
second-order matching [12], third-order matching [5], and fourth-order match- 
ing [16] have been shown to be decidable (both modulo /3 and (irf). On the 
other hand, it has been proved that, starting from the sixth order, higher-order 
matching modulo (3 is undecidable [14] (for jSrj, the problem is still open). 

In two recent papers [9] and [10], we studied the decidability and the com- 
plexity of a quite restricted form of higher-order matching, namely, higher-order 
matching in the linear A-calculus. This calculus corresponds, through the Curry- 
Howard isomorphism, to the implicative fragment of Girard’s linear logic [7], 
and may be naturally extended by taking into account the other connectives of 
linear logic. We follow this line of research in the present paper by considering 
the linear A-calculus with pairing, i.e., the calculus corresponding to the negative 
fragment of multiplicative additive linear logic. 

The paper is organized as follows. Section 2 presents the necessary mathe- 
matical notions and notations that we use in the sequel. In section 3, we show 
that deciding whether a linear A-term with pairs may be reduced to a given nor- 
mal form may be done in polynomial time. Finally, section 4 shows that every 
term may be turned into another term that has the same behaviour with respect 
to reductions, and whose length is bounded in terms of the redices it contains 
and the size of its normal form. This technical result allows us to conclude that 
higher-order matching in the linear A-calculus with pairing is decidable. We also 
obtain that the problem is NP-complete when the right member of the equation 
is given in normal form. 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 220-234, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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2 Mathematical Background 



Definition 1. 






^ I I 



Definition 2. 






A ‘ ! 




. 3 ^ ::= S \ 3^ \ <¥ \ \SC . ST \ {S' S') \ {ST, ST) \ ( tti ^) | {-kiST), 

In the above definition, the elements of A7 correspond to constants, and the 
elements of are the A-variables. The elements of ^ are called the ^ ^ ^ ^ ^ , 

and will be denoted by uppercase bold letters (X, Y, Z, . . .). 

The notions of free and bound occurrences of a A-variable are defined as 
usual, and we write FV(t) for the set of A-variables that occur free in a A-term t. 
A A-term that does not contain any subterm of the form (t, u) is called a ,, 

, A , . A A-term that does not contain any unknown is called a 

A , . 

The notion of linear A-term is then defined as follows. 

Definition 3. . . ^ ■ , , , - - 



^ a G A/q. ^ a € 

^ X€^a XeX. 

, X G , X G 

, X G t G - X G FV(t), ^ Ax. t G 3^(a-op) 

. t G 3^(a-oB): u G ^a. - FV(t) H FV(u) = 0, {tu) G ^3 

, ( £ 5-L u% if,, , . FV(() =Vv(„) ' (t,„) £ AJ 

, t G I (■^1^) G 

. t G ^oihp I i'^2t) G 

The conditions on the free variables in clauses 4, 5, and 6 correspond to the 
linearity conditions. They constraint the way A-variables may occur in a term. 

We define ^ to be Uae.F (which is a proper subset of the set of raw 
A-terms). It is easy to prove that the sets are pairwise disjoint. Conse- 

quently, we may define the type of a linear A-term t to be the unique linear type 
a such that t G ^a- 

We let t[x:=u] denote the usual capture-avoiding substitution of a A-variable 
by a A-term, and t[xi:=ui, . . . , x„:=t6„] denote the usual notion of parallel sub- 
stitution. If a denotes such a parallel substitution [xi:=mi, ..., x„:=u„], we 
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write t.a for t[xi\=ui, . . . ,Xn'-=Un], u{xi) for Ui, and we define dom((j) to be 
the finite set of variables {xi , . . . , x„}. We use the same notations to denote the 
substitutions of unknowns by A-terms. The substitution the domain of which is 
empty is the identity and is noted Id. 

We take for granted the usual notions of (3 reduction, left projection, and 
right projection: 

(Xx.t) U ^ t[x:=u], 7Ti{t,u)^t, TT 2 {t,u) ^ U. 

The union of these three notions of reduction induces the relation of one step 
reduction (^), the relation of at most one step reduction (^), the relations of n 
steps reduction (^), and the relations of many steps reduction (^). The equality 
between linear A-terms (=) is defined to be the reflexive, symmetric, transitive 
closure of the relation of reduction and we write = for syntatic equality. The 
linear A-calculus with pairing is strongly normalizable, the equality (=) is then 
decidable and every term has a unique normal form. 

We now give a precise definition of the matching problem with which this 
paper is concerned. 

Definition 4. , , . , . ( , X , , 

We end this section with two remarks about the previous definition: 

1. In the substitution [Xi:=ti, . . . ,X„:=t„] we do not require ti,. . . ,t„ to be 
pure terms. This is mandatory. Consider, for instance, the following matching 
problem: ttiX = c, where c is a constant of type a, and X an unknown of 
type a & /3. This problem admits the solution [X:=(c, Y)], where Y is an 
unknown of type j3. Now, if we would require the solution to be made of pure 
terms, we would face the problem of constructing a closed term of type (3, 
which is undecidable. 

2. In defining the notion of equality, we did not take into account ? 7 -reduction 
and surjective pairing. In fact, all the results we obtain in this paper also 
hold for this stronger notion of equality. 



3 A Polynomially Bounded Reduction Strategy 

One of the key properties in establishing the NP-completeness of higher-order 
matching in the linear A-calculus [9] is that any linear A-term (without pairs) 
may be reduced to its normal form in polynomial (actually, linear) time. This 
is a direct consequence of the fact that the length of the linear A-terms strictly 
decreases under /3-reduction. 
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This property does not hold in the presence of pairing. Indeed, in a linear A- 
term of the form Ax. {t, u), there are at least two occurrences of x that are bound 
by the abstraction. Consequently, the length of a redex such as (Ax. {t, u)) v may 
be stricly less than the length of its contractum {t, u)[x:=v]. In fact, it is even not 
the case (modulo yf ^ ) that a linear A-term with pairs may be reduced 

to its normal form in polynomial time [15]. Consequently, in this section we 
establish the following weaker property: if t ^ u then there exists a reduction 
strategy t ^ u such that n is polynomially bounded with respect to the length 
of t and u. 

In order to establish this property, we first define two notions of complexity. 
Definition 5. , . , ' ' p{oi ) , , , , ' ^ , - , - , • / ■ 

p(a) = 0, a ^ , 

p{a -0/3) = p{a) + p{!3) + 1 

p{a k, (3) = p{a) + p{f3) + 1 



Definition 6. 



p,{c) = 0, ^ ' till- ^ ‘ i I I I I I 

pL{\x.ti) = p.{ti) 

,,(+ ^ \ + p{tl), . tit2 ^ 

P^{{ti,t2)) = max(/:r(ti),^(t2)) 

,■(»,(,) = f ■ ' 

L MHijj , , 

' 

The above norm does not strictly decrease when reducing a term. This is due 
to clause 4. Indeed, in case ti t 2 with /i(ti) < p{u), we have that {t\,u) 
{t 2 ,u) while pi{{ti,u)) = p{{t 2 ,u)). In fact, this is the only problematic case, 
and we will prove that the norm strictly decreases under reduction if there is 
no reduction step that takes place within a pair. To this end, we introduce the 
following notion of external reduction. 

Definition 7. , , i , . ft>) . . , , 



{Ax . t) u t> t[x:=u] Tri{t,u)>t Tr 2 {t,u)(>u 



Ax. t > Ax. \ 



tv > uv 



vt t> vu 



TTit > TTiU TT2t > 7T2U 
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We state two technical lemmas that will be useful in the sequel. Their proofs, 
which are not difficult, are left to the reader. 

Lemma 1. t . \x.u 

' , , > i ^ ^ / 

Lemma 2. t ^ . (mi,M 2 ) . 

, . ' i i ^ t > (vi,t> 2 ) ^ (■Ui,M 2 )- □ 

We are now in a position of proving that the norm of a term strictly decreases 
under external reduction. The keystone of the proof is the following substitution 
lemma. 



A , ^ ^ t 

* # 
t > Ax. V Ax. u. 



Ax. I 



A 



t ^ (ui,U2) 



Lemma 3. t G ^ ^ ^ u,x G , x G FV(t) 

fi{t[x:=u]) < + fi{u) + p{u) 



^ ^ , The proof proceeds by induction on the structure of t. 



1. t = x. 



2. t= Xy. t\. 



p,{t[x:=u\) = fj,{x[x:=u\) 

= m(w) 

< fi{u) + p{u) 

= Kt) + Ku) + p{u) 



p{t[x:=u\) = p{Xy.ti[x:=u\) 

= p{h[x--=u]) 

< pL{ti) + p{u) + p{u) 

(by induction hypothesis) 
= pit) + p{u) + pin) 



3. t = tit 2 - We distinguish between two cases: 

(a) X G FV(ti). Because of the linearity of t, we have that x ^ FV(f 2 )- 
Consequently, t[x:=u] = ti[x\=u] t 2 - Then, there are three subcases: 
i. ti = x and u = Xy. ui. 



pit[x:=u\) = p{x t2[x:=u]) 

= p{ut2) 

= p{t2) + p{u) + p{u) 

= p{x) + p{t2) + pl{u) + p{u) 

= pit) + Piu) + Piu) 



ii. ti = Ay. til. 

pit[x:=u\) = pitx[x:=u] ^2) 

= piti[x:=u\) + /i(t2) + piti[x:=u\) 

= Piti[x:=u]) + PH2) + pih) 

(by stability of typing under substitution) 
< piti) + pit 2 ) + pih) + pin) + pin) 

(by induction hypothesis) 

= pit) + Piu) + pin) 
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iii. Otherwise. 



^{t[x:=u]) = ^{ti[x:=u] t 2 ) 

= ^x{tl[x:=u]) + /r(0) 

< + p{u) 

(by induction hypothesis) 

= m (^) + m ( w ) + Pi.u) 

(b) X G FV(t 2 )- There are two subcases, which are similar to Subcases ii 
and iii of Case (a). 

4. t = {ti,t2). 



p{t[x:=u]) = pL{{ti[x:=u],t 2 [x:=u])) 

= \n&yi^{p{ti[x\=u]) , jj,{t2[x\=u])) 

< max(/x(ti) -I- + p{u),fi{t 2 ) + p{u) + p{u)) 

(by induction hypothesis) 
= max(/r(ti), ^(O)) + p{u) + p{u) 

= pit) + Piu) + p(u) 

5. t = TTiti- We distinguish between three cases: 

(a) t\ = X and u = {u\,U2)- 



p{t[x:=u]) = p{ttiu) 

= P{u) + pin) 

= p{-K\x) + p{u) + p{u) 
= pit) + pi.u) + p{u) 



(b) t\ = (til, ti2)- 

p{t[x:=u\) = p{TTi{ti[x-.=u])) 

= p{ti[x:=u\) + p{ti[x:=u\) 

= p{ti[x:=u\) + p{ti) 

(by stability of typing under substitution) 
< ^(ti) -I- p{ti) + p{u) + p{u) 

(by induction hypothesis) 

= pit) + Pi.u) + P{u) 



(c) Otherwise. 



pit[x:=u\) = ^(7Ti(ti[x:=M])) 

= piti[x:=u\) 

< piti) + pin) + piu) 

(by induction hypothesis) 
= pit) + piu) + piu) 



6. t = TT 2 t I . This case is similar to the previous one. 



□ 
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Proposition 1. t - u , , A , t\> u n{u) < 

^ ^ , The proof proceeds by induction on the derivation of t > u. We only give 
the base cases, the induction steps are straightforward. 

1 . t = (Xx.ti) t2 and u = ti[x:=t2\- 



fi{u) = n{ti[x:=t2\) 

< /x(ti) + n{t 2 ) + p{t 2 ) (by Lemma 3) 

< p{ti) + /i(t2) + P{t2) + P{tl) + 1 

= p{ti) + p{t2) + p{Xx. ti) 

= 

2. t = 7Ti(ti, ^ 2 ), and M = ti- 

p{u) = p(ti) 

< max(^(fi),/x(t2)) 

< max(^(ti), /x(t2)) + p{{ti,t2)) 

= p{TTl{tl,t 2 )) 

= Kt) 

3. t = 7T2(ti,t2)) and u = t 2 - This case is similar to the previous one. □ 



Corollary 1. t ^ - u , ^ ^ A . , , t > u ,n< 

p{t) - p(u) 

^ ^ , By iterating Proposition 1 . □ 

As we explained at the beginning of this section, we intend to establish that 
whenever t u, there exists a reduction strategy that is polynomially bounded 
by the size of both t and u. The idea is to use p{t). This is not sufficient because it 
only works for external reduction. Now, a reduction step that takes place within 
one of the two components of a pair is useless if the residual of this component 
eventually disappears because of a subsequent projection. However, if there is no 
subsequent projection the residual of the pair will occur in u. These observations, 
which suggest that we must take into account the number of pair components 
that occur in u, motivate the next definition. 

Definition 8. , . , . , > , , . / , ^ i 



, , ■ - , , , #(^) , • 

( ) #{Xx.ti) = #(ti) 

f - ^2 , 

C ) = < #(^2), , tl , 

[ #(^l) + #(^2), , 
( ) #{{t\,t 2 )) = #(tl) + #(^2) 



m = 1 . 




Higher-Order Matching in the Linear A-calculus with Pairing 



227 



(- ) = #(^i) 

( ) = #{ti) 

We now state and prove the main proposition of this section. 

Proposition 2 . t - u . , A, t ^ u 

t ^ u ^ - n < fx{t) x #(m) 

^ ^ , The proof proceeds by induction on the subterm/reduction relation. 

1 . t = X. We must have u = x, and consequently n = 0 = 

2 . t = Xx.ti. We must have u = Xx.ui, with t\ ^ ui. Hence, the property 
holds by induction hypothesis. 

3 . t = t\ t2- If M = Ml U2, with ti Ml and t2 U2, the induction is straight- 
forward. Otherwise, there exist t'n and t'2 such that: 

tit2 {Xx.t[i)t2 t'll[x-=t'2] M, 

where t\ Xx.t'n and t2 ^ t'2- Then, by Lemma 1 , there exists tn such 
that t\ > Aa:.tii ^ Aa;.tii. Therefore there exists ni,M2 G N such that 
t\t2 > (Ax. til) ^2 t> tii[x:=t2] ^ M, because tn[x:=t2] ^ t'n[x:=t'2\- Hence, 
by Corollary 1 , we have: 

Ml + 1 < Ai(HO) - n{tii[x:=t2])j 

which implies mi -I- 1 < O) — ^J-{t^l[x:=t2])) x #(m), since #(m) > 0 . On 
the other hand, by induction hypothesis, we have ri2 < /r(tn [x:=t2])) x #(m). 
Consequently, we have that ni -I- ri2 + 1 < Ai(ti O) x #(m). Then, we take 
n = Ml -I- ri 2 + 1 . 

A. t = (^1,^2)- We must have that u = (mi,M 2), with ti ui and t2 M2. 
Hence, by induction hypothesis, there exists ni,n2 G N such that: ti ^ mi 
with Ml < /i(ti) X #(mi), and t2 ^ mi with ri2 < /i(t2) x #( m 2). Consequently, 
we have that (ti,t2) ^ {ui,t2) ^ (mi,M 2). Then, we may take n = ni -I- M2 
because the following inequalities hold: 

Ml + M 2 < X #(mi) -k Ai(t 2 ) X #(m 2 ) 

< max(/r(ti), fi{t2)) x #(mi) -k max(^(ti), /x( 0 )) x #(m2) 

= max(/x(ti), n{t2)) X (#(mi) -k #(m2)) 

= fi{{tl,t 2 )) X #((mi,M 2 )) 

5 . t = TTiti. If M = TTiMi, with ti Ml, the induction is straightforward. 

Otherwise, there exist t'n and f'i2 such that iriti — > Tri{t'n,t'i2) — *■ tn ^ m, 
where ti ^ (^111^12)- Then, by Lemma 2 , there exist tn and ti2 such that 
ti > (tii,ti2) ^ {t'ii,t'i2}- Consequently, there exists ni,n2 G N such that: 
TTiti > 7 ri(tii,ti 2 ) t> til ^ M, because tu Then, by Corollary 1 , we 

have Ml -k 1 < /i( 7 Titi) — /x(tii), which implies Mi -k 1 < (/i( 7 Titi) — /r(tn)) x 
#(m). By induction hypothesis, we also have that U2 < A^(tii) x #(m). Hence, 
we have that ni -k M2 + 1 < /i( 7 Titi) x #(m), and we take n = mi -k M2 + 1 . 

6 . t = TTit2- This case is similar to the previous one. □ 
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4 Decidability and NP-Completeness 

In the presence of pairs, linear A-terms may contain subterms which are bound 
to disappear during the reduction because of projections. Those subterms may 
be arbitrarily huge and contain many redices. The previous section showed how 
to cope with them in order not to reduce useless redices and to have a polynomial 
reduction. The purpose of this one is to prove that if t m then there exists 
some t' obtained by deleting useless subterms from t and the size of which is 
polynomial with respect to n and the size of u. Together with the results of the 
previous section this property will help us to obtain decidability and complexity 
insights about the matching problem. 

In order to model deletion in terms, we add a special constant (<^) to the 
calculus. This constant may be used to replace any term of any type in the 
formation rules of Definition 3 (not taking into account the side condition on 
free variables in the case of the formation of a pair) . 

Within this new notion of term, we ditinguish those obtained by adding the 
following term formation rules to the formation rules of Definition 3: 

if t G then (t,0) G and (0,t) G ^&a- 

those terms are called ,, . . A substitution is hollow if for all x ( 

X) a{x) ( ^ cr(X)) is hollow. 

The fact that a certain term is obtained from another one by deleting one of 
its subterm induces a reflexive and transitive relation (C) on terms defined by 
the following formal system: 

t Q u ti Q ui t 2 Q U 2 

OQt 

Xx. t G Xx. U ^2 E Wl U 2 

b E t2 E M2 t E U t E M 

(bj ^ 2 ) E (wi, U 2 ) TTit C TTiU TT2tQTT2U 

This relation is naturally extended to the substitutions: 

Definition 9. . cti . (T 2 , cti E ct 2 , , ,, x 

( , ,, Xj ai(x) E o- 2 (x) ( ^ CTi(xj C CT 2 (X)J 

Definition 10. , . , , |f| , 

l❖l = l 

\h\ = l . h 

|Aa;.t| = |t| + 1 

1^1^21 = |E| + 1^2! 

|(b,^ 2 )| = |b| + 1^2! 

ki(t)| = k + 1 , - k2(t)| = k + 1 

, - , , , , • kl = Ea.edom(a) kk)l + 

Exedom(cr) k(^)l 
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Lemma 4 .. , t ,, , , \ , u 

FV{u) = FV{t),t\Zu‘ \u\<\t\^ 

^ ^ , The proof is an induction on the structure of t. We only present the case 
where t= (< 0 ,t'), the other ones being either similar to this one or straightfor- 
ward. 

If t = (<^, t') the by induction hypothesis we have the existence of a linear term 
u' such that FV{u') = FV{t'), t' C u' and |m'| < |t'p. Let FV{u') = {x\\ . . . ;x„} 
and X be an unknown with a type so that u = (Xxi . . .Xn,u') is a linear A- 
term with the same type as t. Obviously we have FV (u) = FV (t) and t Q u, it 
remains to show that |u| < |t|. As FV{t') = {xi, . . . ;x„}, n < |t'| and : 

|„| = \u'\ +n+l< |tf + n + 1 < |tf + \t'\ + 1 < {\t'\ + 1)2 < |t |2 

Lemma 5 . , ui E w-2 , - cn E o"2 , mi.cti E U2-0"2 

^ ^ , By induction on the structure of ui : 

1 . If ui = <)> then ui.ai = <)> and obviously Mi.cti E U2-<J2- 

2 . If ui = a; then U2 = x and Ui.Oi = Oi{x). As u\ E o'2, we have <Ti(a;) E <y2{x) 

and as a consequence we have ui.cti E U2-02- 

3 . liui = h where ft- is a constant, then U2 = h and Ui.ai = ft. So mi.cti E U2-<J2- 

4 . The other cases are direct consequences of the induction hypothesis. □ 

With a specific strategy, the relation E can be preserved through reduction. 

Lemma Q. . v\ Q V2 ^ - vi ^ wi ^ , f2 ^ iC2 , - 

Wi E U >2 

^ ^ , By induction on the structure of vi: 

1 . If vi = (Ax.ti)t2 and wi = ti[x := 0 ] then V2 = {Xx.t'i)t'2 where E E ti. 
Then from lemma 5 if we let W2 = t'i[x := ^2] then w\ 'Qw2- 

2 . The other cases are straightforward. □ 

Lemma 7 . , ui E V2 , - V2 ^ W2 , ’ 1 1 1 "Ci ^ ici , - 

Wi E W 2 

^ ^ , This lemma can be proved by induction on the structure of V2 in a way 
similar to the previous one. The only difference appears in the case where = < 0 . 
In that case wi = <!} and obviously ici E ^2. □ 

As a consequence, under certain conditions, the relation E preserves equality 
between terms. 

Lemma 8 . , w ^ ^ ^ - 'Ci. 'c - , , , , , , , , ' , , , . 

0 , - Vl E V 2 , Vi = V 2 

^ ^ , The lemma can be proved by iterating Lemma 6 and remarking that as 
<0 has no occurence in u if u E w then v = w. □ 
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Lemma 9 . . v\ = V3 ^ - vi Q V2 Q V3 ^ vi = V2 

^ ^ , If w is the common normal form of vi and V3, then there exists n such 
that vi —>■ V. In order to prove the lemma we use an induction on n. 

In case n = 0 , then v\ is in normal form. But V3 is not necessarily in normal 
form. We are going to prove by induction on v\ that the normal form of V2 is V\ . 

1. = <^ : we then have to prove that if V3 = <^, the fact that V2 E W3 implies 
that V2 = 'O’- 

We proceed by induction on the length of the reduction V3 0 - In case 

p = 0 , V3 = 0 and then E C” so r>2 = <^- If p > 0 then V3 ^ v'3 ' 0 - 

By Lemma 7 there is v'2 such that V2 ^ v'2 and v'2 E Wg. Then, by induction 
hypothesis, v'2 = '0 and V2 = '0- 

2 . The other cases are simple consequences of induction. 

Now if n > 0 then vi —> v'^ v. By Lemma 6 there exists v'2 such that 
V2 —>■ v'2 and v'l E Still from Lemma 6 there exists v'3 such that V3 —>■ v'3 and 
^2 E ■^3- Thus we have v'^Q v'2 Q v'3 and v'^ ^ v, the induction hypothesis gives 
that v'2 = v'l which allows us to conclude that v\ = V2- □ 

When two terms are dominated (with respect to E) by another one, they 
share a common syntactic structure but each of them can have specific subterms. 
The following lemma proves the existence of a term which possesses both their 
common and specific features. 

Lemma 10 . , ^ . , r’l, 'C2 , - 'i’ , 'I’l E 'i’ , - 

V2^V ^ , 

^3 , 

V3QV, VIQV3 ^ - V2Q V3 

l^’sl < kl| + \V2\ - 1 

^ ^ , We proceed by induction on the structure of v. The only interesting case 
consists in having v = (ui,U2), v\ = (rci,<^) and V2 = (<(>,ru2) the other cases 
are straightforward. In that case, it suffices to take V3 = {wi,W2) to respect the 
conditions of the lemma. □ 

The next lemma is the generalisation of the previous one to the substitutions. 

Lemma 11 . . cr , cti ^ . CT2 , ,,, , . , , , , , dom(cr) yf 0 , cti E cr ^ . 

^■2 E O' ^ , 0’s ^ 

03 E O', (Ti E O3 I - 0'2 E 0'3 
I03I < |o-i| + |(J2| - 1 

^ ^ , The proof of this lemma uses an induction on the size of dom(cr), the 
initial case is simply proved using the previous lemma and if cc ^ dom(CT) we set 
as^x) to be equal to x. □ 
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If a term t is obtained from a term v by deleting some of its subterms ( 
t Q v) then t and v still share a main global syntactic structure. In particular 
one can expect that if v is the result of a substitution cr applied to a term u then 
t is also ^ ^ ^ the result of applying a substitution to a certain term. The 

next lemma explicits precisely this fact. 

Lemma 12. , t ^ - u ^ ^ , , >>, , • , , ; / - ^ E u-O' 



u' Qu ^ . cr' Cl cr 
t C u'.cr' C u.a 

W\ + W\<\t\ + 1 

^ ^ , If dom(cr) = 0 then a = Id and we just have to take u' = t and a' = Id 
to get all that is needed. The rest of the proof won’t take this trivial case into 
account, and the condition dom(cr) yf 0 which will allow us to apply the Lemma 
11 will be implicitly verified. 

We prove this lemma using an induction on the structure of u: 

1. In case u = x and x G dom(CT) we take v! = x and cr' = [x := t]. Such u' and 
cr' verify the requiered properties. 

2. In case m = X and X G dom(cr) then we also take tt' = X and a' = [X := t]. 

3. In case u = h where h is an atomic term which is not in dom(CT), we let 
u' = t and a' = Id. 

4. In case u = (mi,M 2 ) then t = (^ 1 ,^ 2 ) so that C Ui.a. The induction 
hypothesis implies the existence of two pairs u[, ai and ct 2 such that 
ti E u[.ai E Ui.a, u[ E Ui, cr* C cr and |m'| -I- \ai\ < \ti\ -I- 1. As cri C cr 
and CT 2 E cr, from Lemma 11, there exists a' such that cr' 'Q o, ai 'Q a' and 
|cr'| < |cri| -I- |ct 2 | — 1. By Lemma 5, as u' E Ui and (ji C cr' C cr it comes that 
ti E u'i-ai E u'i-a' E Ui.a. We let u' = (wj, and verify that t C u' .a' E u.a 
and : 



\u'\ + \a'\ < |<| + |u'| + |ai| + |a 2 |-l 

< |ti| -|- 1 + 1 ^ 2 ! + 1 ~ 1 

< |t| -I- 1 

5. the case where u = U 1 U 2 can be solved in the same way as the previous one. 

6. the other cases are straightforward. □ 

Corollary 2. , t, ti ^ _ ^2 , i = ^i[a: := ^2] , - i E ti[x := ^2] 

f' ‘ f' 



f' f' 

‘'1 I - ''2 I 

t'l E - ^2 E ^2 
t = t'i[x := ty 
\t[\ + \t'2\<\t\ + l 
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, From the previous lemma we know that there exists t'l and t '2 such that 

t'l E ^1) t'2 E ^2, ^ E t'i[x := ty G ti[x := ^2] and |t^| + < |^| + 1 - As 

t = t\[x := ^2] lemma 9 implies t = t'i[x := □ 

We now establish the key lemma of this section. We get a bound on the size 
of the term t' obtained by deleting useless subterms of a term t. 

Lemma 13. , t, u ^ ^ u' ^ , , t ^ u, u' ^ u ^ ^ u' = u 

, ‘ 

t' , , 

f tt 

t' = t 

\t'\ < \u'\ + 2 

^ ^ , We proceed by induction on the structure of t. We just present the cases 
where t is a redex and u is the result of the contraction of that redex, the other 
ones are direct consequences of the induction hypothesis: 

1. If t = (Aa;.ti)t2 and u = ti[x := ^2], from Corollary 2 there are two hollow 
terms and t'2 such that t' G ti, t'i[x := t'2] = u' = u = t and \t'i \ + 1^2! E 
lu'l + 1 . Thus (Xx.t'^)t'2 is a hollow term (Ax.t'Ato G (Xx.ti)t2, (Xx.t'-,)t'o = t 
and \{Xx.t'i)t'2\ = It'll + |t'2| + 1 < |u'| + 2 . 

2. If t = 7ri((ti,t2)) ( , t = 7r2((ti, t 2 ))) and u = ti { ^ m = ^ 2 ) then we 

let t' = 7Ti(('u', <))) ( ^ t' = 7T2((<|>, m')) and we verify that t' fullfills the 
conditions of the lemma. □ 

Lemma 14. , t ^ - u ^ ^ ^ - t ttX u ^ ^ ^ ^ , t' ^ 



t' E t 
t' = t 

\t'\ < |m| + 2n 



^ ^ , This result is obtained by iterating the previous lemma. The iteration 
can be initiated because uQu and u = u. □ 

Proposition 3. , t ^ - u ^ , , >>, , • , , , , - t-<J ^ 



I I 

tr' E O' 
t.a' = u 

W\ E |w| + 2n 



^ ^ , From the previous lemma, we know that if t.a 
hollow term t' such that t' E t.a, t' = u and |t'| < |u| d 



u then there exists a 
2n. Lemma 12 leads to 
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the existence of a hollow term t" and a hollow subsitution a' such that t" C t, 
a' Qa,t' Q t” .a' C t.a and |t"|-|-|(T'| < + As a consequence \a'\ < |M|-|-2n. 

We now have to verify that t.a' = u. Lemma 9 gives t" .a' = u because t' = u 
and t.a = u. As t" C t and a' Q a Lemma 5 gives t" .a' C t.a' C t.a. But 
t" .a' = u and t.a = u, then Lemma 9 leads to what we expected. □ 

Theorem 1. ^ ^ > > , , ' 

, , - - • > , 1 , 1 , , ■ ; - ' ; 



^ ^ , Let V be the normal form of u. If the matching equation (t, u) admits 
a solution cr then, from Proposition 2, there exists n such that t.a ^ v and 
n < fi{t.a) X #(u). If we consider that the terms substituted to unknowns by 
a are in normal form then the redices contained in t.a are those contained in t 
and those created by the substitution. Thus, if {Xi, . . . ,X„} is the multiset of 
unknowns that occure in t, we have: 



fi{t.a) < fi{t) + 

i=l 

From proposition 3 we know that there exists a' such that a' Q a, t.a' = v 
and |cr'| < \v\ + 2n < |v| + 2#(v)/x(t) -I- X^r=i 2#(r’)p(Xi). But a' may substitute 
to some unknowns terms which contain some <0. Lemma 4 gives us the existence 
of a substitution a" with the same domain as ct', which substitutes a linear 
A-term to each unknown of its domain and such that a' C a" and: 

n 

k"| < k? < (IH + 2#(u)M(t) + ^ 2#(u)p(X,))2 

i=l 

As a' C tr". Lemma 5 proves that t.a' C t.a" . Finally, since it is a linear 
A-term, v does not contain any <0> and we have (Lemma 8) t.a" = t.a' = v. 
Hence, if there is a solution to the equation then there is also a solution which 
is bounded. The problem is then decidable. 

Furthermore, if u is in normal form then |w| = |u| and the existence of a 
solution implies the existence of a polynomially bounded one. And since Propo- 
sition 2 entails, in that case, that verifying whether a substitution is a solution 
or not is polynomial, the problem is in NP if u is in normal form. And as it is 
an extension of linear A-calculus which is NP-hard [9], matching in the linear 
A-calculus with pairing is NP-complete when u is in normal form. □ 

We have not found yet the precise complexity of matching in the linear A- 
calculus with pairing in the case where the right part of the equation is not in 
normal form. We managed to prove that this problem was PSPACE-hard, but 
we did not find a PSPACE-algorithm which solves it. At worst, we still have the 
EXP-time algorithm which consists in normalizing the right part of the equation 
and then solving it. 
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A Dependent Type Theory with Names and Binding 
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Abstract. We consider the problem of providing formal support for working 
with abstract syntax involving variable binders. Gabbay and Pitts have shown in 
their work on Fraenkel-Mostowski (FM) set theory how to address this through 
first-class names: in this paper we present a dependent type theory for program- 
ming and reasoning with such names. Our development is based on a categori- 
cal axiomatisation of names, with freshness as its central notion. An associated 
adjunction captures constructions known from FM theory: the freshness quanti- 
fier I/I, name-binding, and unique choice of fresh names. The Schanuel topos — 
the category underlying FM set theory — is an instance of this axiomatisation. 
Working from the categorical structure, we define a dependent type theory which 
it models. This uses bunches to integrate the monoidal structure corresponding 
to freshness, from which we define novel multiplicative dependent products 11* 
and sums E*, as well as a propositions-as-types generalisation H of the freshness 
quantifier. 



1 Introduction 

The handling of variahle binding in abstract syntax is a recognised challenge for ma- 
chine-assisted reasoning about programming languages and logics. The problem is that 
a significant part of the formalisation effort may go into dealing with issues that are nor- 
mally suppressed in informal practice: namely that one is working with a-equivalence 
classes of terms rather than raw terms. 

Gabbay and Pitts have shown that FM set theory supports a notion of names that can 
make precise the informal practise of using concrete names for a-equivalence classes. 
They give a number of useful constructions: abstract syntax with binders can be encoded 
as an inductive data type, there is a useful syntax-independent notion of name-freshness, 
and a freshness quantifier simplifies reasoning with names. 

The approach of Gabbay and Pitts has been studied in a number of other settings, 
among which are the first-order Nominal Logic [18], the higher-order logic FM-HOL [6] 
as well as the programming language FreshML [19]. Related [9] to FM theory, the The- 
ory of Contexts [11] provides an axiomatisation of reasoning with names in dependent 
type theory. The ideas underlying FM have also proved useful in other areas such as 
Spatial Logic [2] or programming with semi-structured data with hidden labels [1]. 
These approaches typically focus either on programming with names, or reasoning 
about them. The Theory of Contexts, for example, supports reasoning with names, but 
does not admit functions that compare names or which (locally) choose fresh names. 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 235-249, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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In this paper we take the first steps towards a dependent type theory incorporating 
FM concepts for both programming and reasoning with names. We introduce a depen- 
dent type theory, using as guidance the categorical structure of Schanuel topos, which is 
the category corresponding to FM set theory. In contrast to FM set theory, where swap- 
ping is the primitive notion for working with names, we take freshness as the central 
primitive of our type theory. This allows us to describe the constructions with names 
and binding in terms of universal constructions, and also avoids problems with exten- 
sional equality, which seems to be necessary for defining a-equivalence classes using 
swapping. 

As the first contribution of the paper we introduce a bunched dependent type the- 
ory. Since freshness corresponds to a monoidal structure, bunches provide a natural 
way of integrating it into the type theory. Our bunched type theory may be seen as 
a generalisation of the aA-calculus of O’Hearn and Pym [17,20]. The aA-calculus is 
a simple type theory corresponding to a category which is both cartesian closed and 
monoidal closed. Our type theory extends this situation, but only in the additive di- 
rection: we consider a category which is locally cartesian closed as well as monoidal 
closed. In this structure, we can model a dependent type theory with two function spaces 
Hx:A. B and B*x:C. D. The first comes from the locally cartesian closed structure and 
consists of normal dependent functions. The second, which is subject to the restriction 
that C is closed, comes from the monoidal closed structure and may be thought of as 
consisting of functions which are only dehned on arguments x : C that contain just 
fresh names. In particular, with a type of names N, we can use H*n:N. D to model 
Qf-equivalence classes, which corresponds to the well-known approach of modelling 
Qf-equivalence classes as ‘fresh functions’ [7,4, 9, 5]. Another way of representing a- 
equivalence classes, as given in [7], is to consider them as pairs n.x of a term x with a 
distinguished name n in such a way that the identity of n is hidden in the pair. This rep- 
resentation is also available in our type theory as fresh sum types S*, dual to H*. The 
inhabitants of Y/^x\C. D may be thought of as pairs M.N where M : C and N : D{M) 
and in which all the names in M have been hidden. To formulate S*-types, we intro- 
duce a type thought of as those elements of B which are free from all the 

names in the term M : A. These freefrom types are used to enforce that no use of a pair 
M.N in H*x:C. D can reveal the hidden names. 

As a second contribution of the paper, we give a new categorical axiomatisation of 
names and binding. The main feature of this axiomatisation is a propositions as types 
generalisation of the freshness quantifier of Gabbay and Pitts. To recall the freshness 
quantifier, consider quantifiers 3* x'.A. Lp and y*x:A. ip expressing ‘ip holds for some x 
containing only fresh names’ and ‘(p holds for any x containing only fresh names’ re- 
spectively. The freshness quantifier I/I arises because, for the type of names N, the 
propositions 3*n:N. p and V’*n:N. p are equivalent; and I/I n. is used to denote either 
of them. We have a propositions-as-types correspondence between 3* and S* as well as 
between y* and H* , so one may generalise the equivalence of 3 * n : N . (/? and y*n'.hi.p 
to an isomorphism between S*n:N. D and H*n:N. D. 

This motivates our categorical axiomatisation of names. The central concept is 
freshness, giving rise to a certain ‘fresh weakening’ functor W. The types S* and H* are 
left and right adjoints to W. Names are given by an object N having decidable equality. 
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Moreover, we require an isomorphism = 11^ generalising the freshness quan- 
tifier. We show that this structure includes not only the freshness quantifier, but also 
binding (n.x) as in [7, 16] as well as unique choice of fresh names (new n. M) as in 
FreshML [19]. 

The semantics leads us to a type theory with names and binding. Based on the iso- 
morphism = n^, we introduce hidden-name types Hn. 17 as a generalisation of the 
freshness quantifier. We may think of the elements of Hn. D as elements of S*n:N. D, 
i.e. pairs with hidden names, but also as elements of H*n:N. D, i.e. functions taking 
only fresh names. In analogy to the freshness quantifier, which has the rules from both 
3* and V*, the rules for H are those from both S* and H*. This dual view of hidden- 
name types turns out to be useful for working with abstract syntax: it allows us to use 
both HOAS-style constructions and FM-style constructions at the same time. 



2 A Bunched Dependent Type Theory 

In this section we introduce a first-order bunched dependent type theory and identify 
the categorical structure corresponding to it. The type theory has the following forms 
of sequents: (h F Bunch) — T is a bunch, or context; (T h A Type) — A is a 
type in context T;(Th M : A) — Misa term of type A in context T; as well as 
corresponding sequents for definitional equalities. 



2.1 Bunches and Structural Rules 

Bunches are built from the empty bunch O using two kinds of extension. First, the fa- 
miliar additive context extension from dependent type theory, which takes a bunch F to 
the bunch T, a; : A. Second, a multiplicative extension taking two bunches F and A to 
a new bunch F * A. This extension is non-dependent in that no dependency is allowed 
across the *. The bunch F * A should be thought of as the context F, A with the restric- 
tion that the names occurring in F are disjoint from those in A. For example, if Lam is 
a type which encodes object-level A-terms, then the bunch (x : Lam, j/ : Lam) * (z : Lam) 
declares three terms x, y and z with the property that the names (representing the free 
variables of the encoded terms) in x and y are disjoint from those in z. 



h O Bunch 



r h A Type 
h F, x:A Bunch 



X ^ v{F) 



h F Bunch h A Bunch 
\- F * A Bunch 



v{F) n u(A) = 0 



In the side condition of these rules, we write v{F) for the set of variables declared 
in F. We will frequently omit such side-conditions on the variable names, assuming 
tacitly that we encounter only bunches in which no variable is declared more than once. 

We use the notation F{A) to indicate that F has a sub-bunch A, where sub-bunches 
are defined as follows: Z\ is a sub-bunch of itself, and if A is a sub-bunch of F then it 
is also a subbunch of {F, x : A), and F * <P, and F * F. We write F{<P) for the bunch 
which results from F{A) by replacing the (unique) occurrence of A in F with <P. 

Using this notation, we can formulate the structural rules: 

r I- A Type 



(Proj) 



r, X : A \- X : A 



X ^ v{F) 
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(Weak) 



r{ A) \- J Zl h Type 



(Unit) 



r(A, X-.A) h J 
r{A) V- j 
r{A*o) h J 



(Swap) 



x^v{r,A) (Subst) 
r{A J 



A\-M-.A r(A,x:A)\-J 



r{$ * z\) h J 



(Assoc) 



r{A) [M/x] h J [M/x] 
r((zi * <?) * O') h J 



r{A*{‘P*>p)) h J 



In these rales, we use J' for an arbitrary judgement and double lines for bi-directional 
rules. We highlight the rale (Unit) which requires the empty bunch O to be a unit for *, 
thus making * affine. In particular, the multiplicative weakening rale 



(*-Weak) 



r(A) \- J h r(A * <P) Bunch 
r{A J 



becomes admissible by using (Unit) together with (Weak). 

Semantically, the bunches and structural rales can be modelled by a comprehension 
category [12] that in addition has an affine (i.e. the unit is isomorphic to the termi- 
nal object) symmetric monoidal structure * in its base. We model the additive context- 
extension r, x:Ahy the comprehension, and the multiplicative context-extension U * Z\ 
by the monoidal product. To simplify the development, we make an additional assump- 
tion on the monoidal structure, given by the following definition [10]. 

Definition 1. An affine linear category is a category B with finite products and an affine 
symmetric monoidal structure * such that, for any two objects A and B of B, the canon- 
ical map (tti, 112) ■ a * B a X B is a monomorphism. 

In most of the paper, we take a special comprehension category: the codomain fibra- 
tion cod : B^^ B for an affine linear category B having all pullbacks. Although tech- 
nically the interpretation uses a corresponding split fibration to deal with well-known 
coherence issues [8], in the following we elide such details. We assume the reader to be 
familiar with the semantics of (hrst-order) dependent type theory, see e.g. [12, 22, 21]. 



2.2 Type Formers 

In this section, we consider the types and terms, motivating them semantically. Starting 
from a codomain fibration cod : B~*^ B with an affine linear base B, we step-by-step 
add more structure and introduce syntax based on it. 

Type and Term Constants. Basic types and terms are given by constants. These can be 
formulated as usual. For example, a type constant T in context B may be introduced 
as {r h T{x) Type), where x is the list of variables dehned in B. That it is enough 
to annotate the constants just with the list of variables in B, ignoring any bunching 
structure, is a consequence of the assumption that the canonical map A * B ^ A x B 
is a monomorphism. 

Additive Types (T,, II). Types found in Martin-L6f type theory can also be formulated 
as usual. In this paper, we use dependent sums and products, but others such as identity 
types can be added without problem. To model Il-types in the codomain hbration, we 
assume B to be locally cartesian closed [21,12]. 
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Monoidal Product (*). We add types A^B which internalise the context multiplica- 
tion r * A. The type A*B may be thought of as containing all pairs (M, N) m Ax B 
for which the sets of names underlying M and N are disjoint. 

h A Type h B Type h A*B Type B M : A Ah N : B 

(*-Ty) (*-I) — 

h A*B Type B* Ah M*N : A*B 

^ B{z: A*B) h C Type Ah M ■. A*B B{x:A* y.B) [x*y/z\ h N ■. C [x*y/z\ 

r(Zi) [M/z] h (let M be x*y in N) : C [M/z] 

Note that the type A*Brequires both A and B to be closed. This is because of substi- 
tution, as ( A* i?) [ct] and (A [ct] * B [cr] ) would not always have isomorphic interpretations . 

Since the rule (*-Weak) is admissible, we can derive an inclusion ia,b of type 
A*B AxB, given by the term ia,b =df Ap : A*B. (let p be x*y in {x,y)). Us- 
ing this, we can state the equations for the monoidal product: 

B h let M*N be x*y in R : C 

(*-B) ^ 

r h (let M*N be x*y in R) ^ R [M/x] [N/y] : C 

AhM-.A*B B{z:A*B)h N -.C 
B{A)[M/ z] h N [M/z] = let M be x*y in {N [x*y/z]) : C[M/ z] 

. BhM:A*B BhN:A*B B h ia b(M) = tA b(N) : AxB 

(In ect) : — ^ — 1 : — i — 1 

Bh M = N : A*B 



Fresh Dependent Products (II*/ We now make the further assumption on B that, for 
each object A in B, the functor — * A preserves pullbacks and has a right adjoint A — * — . 

This gives rise the following situation. Let gl{— * A) be the fibration defined by 
change-of-base as in the left square below. Let Wa ■ B"* — > B/(— * A) be the functor 
which maps an object f: B^G to f*A: B*A^G* A. The assumption that — * A 
preserves pullbacks amounts to saying that Wa is a fibred functor from cod to gl{—*A). 
Moreover, it follows that Wa has a fibred right adjoint 11/^ : B/(— * A) ^ B'^, see 
e.g. [14]. Explicitly, 11^ maps an object g : C ^ G * Ato the the morphism Wf^g as in 
the pullback on the right. 




Proposition 1. For any object A o/B, the functor Wa as defined above has a fibred 
right adjoint 11^ if and only if A*— preserves pullbacks and has a right adjoint A — * — . 

In this way, we can recast the monoidal closed structure in terms of a fibred adjunc- 
tion, and introduce syntax for the fibred adjunction as follows. 

B * x'.Ah B Type 

(n -Ty) — 

^ BhWx: A. B Type 

^^rh M ■. Wx:A. B Ah N ■. A 

B*Ah M@N : B [N/x] 



B * x: Ah M : B 

(n -I) 

Bh X*x: A. M : n*a;:A. B 
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r*x:A\-M:B A\-N:A 

r*A\-{X*x:A. M)@N = M [N/x] : B [N/x] 

, r h M : a*x:A. B 

(n -t?) 1 

r\- X*x:A.{M@x) = M -.n^x-.A.B 

Notice that the fresh dependent product U*x:A. B is only well-formed for closed 
types A, as hunching does not allow dependency across the * in the bunch F * x: A. 
The rules of II* derive from the adjoint correspondence 

^G*A = Wa(1g) — ^ C in B/ (G * A) 

1g ^ n^jG) inB/G ’ 

since morphisms \q -a D in B/G correspond to terms in context G. Here, 1q denotes 
the terminal object in B /G. That Tt^ is a fibred right adjoint means that substitution 
behaves as expected, that is we have {YFx'.A. B)[M/y\ = II*x:^. {B[M/y\) as well as 
{\*x-.A.N)[M/y\ = X*x-.A.{N[M/y\). 



Freefrom Types Having considered a hbred right adjoint H^ to Wa, it is 

natural to ask for a fibred left adjoint to Wa - To add syntax for such a left adjoint, 

we need to account for a one-to-one correspondence between maps B Wa{C) in 
B/(G * A) and {B) G in B/G. Hence, we need a syntactic equivalent for the map 

B Wa{C), and so must introduce syntax for Wa{C). Note that this is not necessary 
for n*, since there we only need the value of Wa{^g), which is 1g*,4- 

We introduce types as a syntax for working with Wa{B). Intuitively, the 

type comprises all those p : B*A whose second component 7 T 2 (p) is, M A. 

The functor Wa may then be understood as a ‘fresh weakening’ functor, taking the 
type {r \- B Type) to (G * x:A\- Type). Here, type A is necessarily closed, 

while B may in general depend on F. However, in the present paper we avoid the 
complexity of managing substitution in B by restricting to closed freefrom types: 



(F-Ty) 



h A Type h B Type A\- N : A 
Zi h Type 



A, B Type F M : B A\- N -.A 



z:B*("’‘^))hGType A ^ M : F{y.B * x:A) ^ R : C[y*^ /z] 

r{A)[N/x][M/z] h let M be y*" in R : C[N/x][M/z] 

The equations^ in which F \- Q : are: 



(/?) let M*-^ be y*^^ in i? = i?[iV/a;][M/?/] 

( 77 ) let Q be y*^ in R[y*^ / z] = R[N/x] [Q/z] 



Furthermore, we add a constant to ‘join’ two elements of freefrom types. 



* For brevity, from now on, we omit the contexts and typeability assumptions in the formu- 
lation of equations. Nevertheless, all equations are to be understood as equations-in-context, 
formulated under suitable typeability assumptions. 
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, T h M : r\- N : 

rhjoin^3^c(^,^) : 

This constant is part of the syntax for T4^^, arising from the fact that W a is a fib red 
functor, equivalently that — * A preserves pullbacks. It makes available the important 
property of freshness that if two objects x and y are fresh for some z then so is the 
pair (x,y). The behaviour of join is described by the equations 

let join^ ^ iV) be y*^ in (tti y^ = M, 

let join^ ^ iV) be y*^ in (tts y)*"" = N. 

The semantic interpretation of (F-Ty) is given by the following diagram. 



1 


I 


— ^ B ^ A — 


— B ^ A 




J 


1 J 


1 


B 









Z\ — 



To see how this corresponds to Wa, recall that a closed type B in context T corre- 
sponds to the projection ttb ■ B x B ^ F. Using pullback-preservation of — * A, the 
following square is easily seen to be a pullback. 

7T3*A I I 7T2 



Since the bottom row of this diagram corresponds to the term F * x : A \- x : A, this 
means that (U * a; : A h Type) receives an interpretation isomorphic to * A, 

which, by definition, is just Wa{t^b)- 



Fresh Dependent Sums fS*j. We now assume that Wa has a fibred left adjoint 
Using freefrom types as syntax for Wa, this gives rise to the following rules for 



(S*-Ty) 



F * x\A\- B Type 



(S*-I) 

(E*-E) 



r h YFx'.A. B Type 
x:AI-BType F \- M : A Fh N : B[M/x] 
r h bind(M,At) : (E*a;:A. 
r h M : T,*x:A.B {F*x:A), y.B h N : 
r h let M be x.y in N : C 
M.N =df (let bind(M, N) be u*™ in u) 



These rules are best explained using the intended model of names. The term 
bind(M,7V) in (S*-I) may be understood as the pair (M, N) with all the names in 
M made private, together with a proof that the names in M are indeed fresh for the 
pair. The abbreviation M.N is a short-hand for the pair without the proof of freshness. 
The introduction rule (S*-I) has a freefrom type in its conclusion because the construc- 
tor bind(A^, M) comes from the unit p : B ^ W aB^*aB of the adjunction, whose 
codomain Wa'B*aB is the semantic equivalent of {Y/"x:A. B)*^^'^\ The elimination 
rule (S*-E) formalises the intuition that an element M of type Yl*x:A. B is a pair with 
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name-hiding. For this intuition to be valid, it should only be possible to use the compo- 
nents of the pair M in such a way that none of the hidden names is revealed. In (S*-E) 
this is achieved using freefrom types: the term N has type and such a term can 

be understood as an element of C whose value does not depend on the names in x. 

The equations, in which {r*x:A),y:B h R wA F, z:'B*x'.A. B \~ Q :D, 

follow from the triangular identities for the adjunction H Wa- 

{(3) let bind(M, N) be in (let z be x.y in i?)*“ = R[M/x\[N/y] 

(rj) let M be x.y in (let bind(a;, y) be z*^ in Q*^) = Q[M/z] 

We remark that the restriction on freefrom types that B must be closed in 
makes the rules for S* incomplete. For example, we have to restrict (S*-I) so that B 
can only depend on x. More general rules are possible with unrestricted freefrom types. 



2.3 Examples and Applications 

As a simple example, we show that one can go from Ilx:A. B to Il*x:A. B, as is the 
case in the affine aA-calculus. 



(Proj) 



x:A\- X ■. A 



f-.Hx-.A.BV- f : Hx:A.B 
if -.Tlx-.A. B) * O f : Ylx-.A.B 
i f : Ax-. A. B)*x:A\- f : Ux:A. B 



(Unit) 

(Weak) 



x:A*<>\-x'.A 
<> * x:A\- X : A 



(Proj) 

(Unit) 



(Swap) 



(/:11a;: A. B) * x:A\- x : A 



(/ : Ila;: A. B) * x:A\- f x : B 
f : na;:A. B \- X x : A. f x : II*a;: A. B 



(Weak) 

(n-E) 



(n*-i) 



With type dependency and freefrom types, we can express freshness assumptions 
more precisely than with simply-typed bunches alone. For example, the freshness as- 
sertions in the context x : A, y : A, u : v : cannot be expressed 

with simply-typed bunches. On the other hand, the only way the freshness information 
in freefrom types can ever be used is via bunches. We then have to ask the 

question if this is enough to derive useful statements involving freefrom types. 

A useful set of rules for working with freefrom types appears in the type system of 
FreshML [19], which may be seen as a simply typed system with restricted freefrom 
types. Rules similar to those in FreshML are admissible in our system, thus allowing 
us to work with freefrom types in the style of FreshML. The main use of freshness in 
FreshML is for abstraction types (a-equivalence classes) and for the choice of fresh 
names (new n. M). Since we will see below that both constructions arise as instances 
of n* and E*, we expect to have at our disposal at least the uses of names and binding 
as found in FreshML. 

Furthermore, with dependent types we can also work with types that are not available 
in FreshML. For example, assume an inductive type L of lists of names. By structural 
recursion, we can define a function remove of type IIn:N. (L^L*^"-'^)) taking a name 
n and a list I to the list which results by removing n from 1. As can be seen from the 
type, remove also provides a proof that n is fresh for the resulting list. Such freshness 
information is crucial for defining functions out of a-equivalence classes, to guarantee 
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that the definition is independent of the choice of representative. An example of this, 
the function computing the free variables of a term, is given in Sec. 3.1 below. 

2.4 Models 

We summarise the structure required of a category B so that its codomain fibration 
models all of the syntax. The interpretation itself also requires this structure to be split, 
but due to space restrictions we omit the details of the interpretation. 

Definition 2. An affine linear category B is a model of the bunched dependent type 
theory if it is locally cartesian closed, and if for each object A in B, the functor Wa as 
defined above is a fibred functor from cod to gl{— * A) having both fibred left and right 
adjoint H Wa H II^. 

We have seen that the fibred adjunction Wa H can be formulated in terms of the 
monoidal structure. We know of no such non- fibred restatemenf for H Wa- 



3 Names and Binding 



In fhis section we consider how fhe bunched fype theory can be used for working with 
names and binding. To this end, we consider a particular model of the type theory, the 
Schanuel topos S, which is being widely used as a universe in which to work with 
names and binding. The Schanuel topos may be thought of as a category of sets involv- 
ing names. For lack of space, we cannot present it in any detail; the reader is referred 
to e.g. [7] for its use for names and binding, and to e.g. [15, 13, 16] for categorical 
presentations. For the type theory we use the following categorical structure of S. 

Proposition 2. The Schanuel topos S is a model of the bunched type theory having the 
following additional structure. 



1. Finite coproducts which are stable under pullback. 

2. An object N for which [<5, z] : N -f (N * N) — > (N x N) is an isomorphism. Here 
6 is the diagonal map and i is the canonical monomorphism. 

3. A vertical natural isomorphism i : — > 11^ such that the triangle below com- 

mutes. 






ITN(i) 







Here p is the unit of H TTn and e is the counit of TTn H II^. 

4. For each object A and each monomorphism m : B ^ C, the commuting square 
below is a pullback. 

m*A| |m 



In the rest of this section we explain the structure in this proposition and how it can 
be integrated in the type theory. We argue informally towards the relation of the above 
structure to constructions in FM set theory. 
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As a model of the bunched type theory, S has both S* and II* types. The fresh sums 
T,*x:A. B may be constructed by taking certain equivalence classes of pairs (M, N) 
with M : A and N : B[M/x]. Fresh products A*x:A. B may be constructed as certain 
partial functions from A to B. This underpins the view of T,*x:A. B and A*x:A. B as 
non-standard sums and products. The difference from the standard sums and products 
is determined only by the names in A. For a type A that does not contain names, such as 
the natural numbers, the non-standard sums and products agree with the standard ones. 

In Prop. 2.2 we ask for an object N of names with the property that any two names 
are either equal, i.e. a single element of N, or they are fresh, i.e. an element of N*N. 
Thus, names have decidable equality, with two names being different precisely when 
they are fresh. This object of names plays the same role as the set of atoms A in FM set 
theory. We omit the rules for the type of names and its decidable equality, but remark 
that stable coproducts are used in the formulation of the term for deciding the equality. 

Prop. 2.3 concerns the structure of the types S*n:N. B and II*n:N. B. Both types 
can be used for encoding of a-equivalence classes. An element n.x of type S*n:N. B 
is, by construction, an equivalence class and may be understood as the a-equivalence 
class of X with respect to n. This encoding of a-equivalence classes agrees with that 
of FM set theory. Indeed, for a closed type B, the construction of S*n:N. B is (essen- 
tially) the same as that of the abstraction set [A]i? of FM set theory. In the work on 
FM sets, it was also observed that a-equivalence classes may be constructed as partial 
functions from N to B. This construction is captured by the type II*n:N. B. Therefore, 
S*n:N. B and II*n:N. B are different encodings of the same a-equivalence classes, 
which means that the types should be isomorphic. This explains the isomorphism in 
Prop. 2.3. The isomorphism is useful for working with a-equivalence classes, as it al- 
lows us, for example, to form an a-equivalence class as a pair n.x in S*n:N. B, and 
then to use it as a function in II*n:N. B to instantiate it at some other name {n.M)@m. 
We give further examples of this in Sec. 3.1, see also [7]. 

We integrate the isomorphism i in the type theory by means of hidden-name types 
Hn. B which are isomorphic to both S*n:N. B and II*n:N. B. The rules for Hn. B are 
those from both S* and II*, giving H a self-dual nature. 



(H-Ty) 



T * n : N h B Type 
r h Hn. B Type 



(H-Il) 



r\- M -.Rn.B 



A h AT : N 



r* n:N h M : B 

: (H-iil) — TT 

r h Ajjn. M : Hn. B B * A h M@-h_N : B [A^/n] 

n:NhBType B h M : N Bh N : B[M/n] 



(H-I2) 



(H-E2) 



B h bindnjM, A) : (Hn.B)*'"^^> 

BhM:Hn.B {B * n:N), y: B N : 
B h let M be n.nj/ in N : C 
M.hN =df (let bindH(M, N) be n*™" in u) 



The type Hn. B may be interpreted as either T,^B or H^B. In the first case, the 
interpretation of A^n. M and M@nN is given by i“^(A*n : N. M) and 
respectively. With this interpretation, {(3) and (ryj-equations for H derive from those 
for S* and H*. A further equation, which we omit, arises from the naturality of i. 
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(/31) (A*Hn. M)@hN = M [N/n] 

(ril) A*Hn. (M@Hn) =M n ^ FV(M) 

(/32) let bindH(-M, N) be z*“ in (let z be x.y in i?)*“ = R[M/x][N/y] 

{rj2) let M be x.'^y in (let bindH(x, j/) be z*^ in Q*^) = Q[M/z] 

The commuting diagram in Prop. 2.3 provides two additional equations, which ex- 
plain (to some extent) the interaction between the two roles of Hn. B as S*n:N. B and 
n*n:N. B. The equations are formulated in context B * n : N. 

(/33) let bindH(n, N) be x*™ in x@hw = N 
{r]3) bindH(n, let M be X*™ in x@Htn) = M 

From Prop. 2.4 it follows that hidden-name types are in propositions as types cor- 
respondence with the freshness quantifier I/I of Gabbay and Pitts. Consider the logic of 
subobjects of S. From the fibred adjunction H Wa d we can derive a fibred 
adjunction 3^ 3 TFf H on Sub(S), where is the endofunctor on Sub(S) map- 
ping a subobject m:B^Ctom*A: B*A^C*A (note that — * A preserves 
pullbacks, and so also monos). Prop. 2.4 then means that is nothing but substitution 
along the projection tti : (— ) * A ^ (— ). Thus, the propositions as types analogues 
3^ of and of 11^ arise in terms of ordinary quantification along this projection. 
In the particular case where A is N, it follows from = 11^ that 3^ = We 
have thus shown that, along the projection tti : (— ) * N ^ N, the existential and the 
universal quantifier agree, and it may be seen [16] that this amounts the the freshness 
quantifier I/I, i.e. I/I = 3J(f = Vj^. As hidden-name types correspond to both 3^ and 
they thus correspond to I/I . 

3.1 Examples and Applications 

Unique Choice of Fresh Names. For programming with names and binders, it is useful to 
have the ability to generate fresh names. In FreshML, one can write a term (new n. M), 
which is thought of as the unique value of M for an arbitrary freshly chosen name 
n. The existence of such a unique value can be guaranteed by a freshness condition 
on M. Using our notation, the introduction rule for new may be written as follows. 



r*n;N h M : (73"^^) 



r h new n. M : C 

This is derivable in our system by means of the following derivation, in which we 
write 1 for the unit type with unique element o: 1. 



r*n:N h M : 



F * n : N h o : 1 
r h A*„n. o : Hn. 1 



TttTNT (Weak) 



(F*n:N),M:l \- M : C 
r, z : Hn. 1 h let 2 be n.u in M : C 



r h let (Ann. <>) be n.u in M : C 



(Weak), (H-E2) 
■ (Subst) 



We use (new n. M) as an abbreviation for the term in the conclusion of this deriva- 
tion. 

In this way, we are using the fact that Hn. 1 is inhabitated to obtain a supply of fresh 
names. This generalises the situation in FM set theory or the Theory of Contexts, where 
one uses the truth of the proposition (I/I n. T) as a supply of fresh names for reasoning. 
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Abstract Syntax with Variable Binding. A key application of names and binding is for 
working with abstract syntax involving variable binders. We encode abstract syntax as 
an inductive type, using hidden-name types Hn. A for object-level binders. The duality 
of H offers two styles of working with abstract syntax: viewing H as II* allows us to 
work in the style of weak Higher Order Abstract Syntax (wHOAS) [3, 11], and view- 
ing H as S* supports the style of FM set theory. In the rest of this section, we give 
examples illustrating the advantages of both views as well as showing the benefits of 
mixing the two styles. 

We take the syntax of the untyped A-calculus as an example, encoding it as an in- 
ductive type Lam with three constructors: var : N ^ Lam, app : (Lam x Lam) Lam 
and lam : (Hn. Lam) ^ Lam. For example, the term Ax. Ay. (x y) can be encoded 
as lam(AyX. lam(Ayy. app(var(x), var(y)))). In a context with two different names x 
and y, it may also be encoded as lam(x.Hlam(y.Happ(var(x), var(y)))). 

Semantically, Lam corresponds to an initial algebra, which lets us define functions 
by structural recursion. The following recursion principle follows from the initial alge- 
bra when Hn. Lam is viewed as H*n:N. Lam. 

x: Lam h A{x) Type 
r \- f : Hn:N. A(var(n)) 

rV g: HM, iV:Lam. a[m) A{N) -> A(app(M, N)) 
r \- h : HM:(Hn. Lam). (Hn. A{M@iin)) A(lam(M)) 

T h rec(/, g, h) : HM:Lam. A{M) 

with equations (in which we write rec for rec(/, g, h)) 

rec var(n) = f n 

rec app(M, N) = g M N (rec M) (rec N) 
rec lam(M) = h M (A^n. (rec {M@nn))). 

For a closed type A, this structural recursion produces a unique function Lam ^ A 
for given functions / : N A, g-. Lam ^ Lam ^ A ^ A — > A and h : (Hn. Lam) 
(Hn. A) ^ A. In FM set theory one has an apparently different recursion principle, 
where instead of h one is essentially given a function k : Hn. Lam ^ A ^ ^*(n:N) 
The above recursion principle is also applicable in this case, since from k we can define 
h =df An : (Hn. Lam). Av : (Hn. A), new n. ((fc@H?T^) {u@Hn) (v@h^))- In this way, 
we get a second recursion operator rec'(/, g, k) with the following equation for the lam- 
case: (rec'{f,g,k) lam(M)) = new n. {{k@un) {M@nn) {rec'{f,g,k) (M@H^^)))• 

As a first example of a recursively defined function, we define capture-avoiding 
substitution in the style of wHOAS and compare the definition to an FM-style encoding. 
Given m : N and i? : Lam, we can use rec to define subst : Lam ^ Lam satisfying 

subst(var(n)) = ifeq (m, n) then n. R else n. var(n) 
subst(app(M, iV)) = app(subst(M), subst(TV)) 
subst(lam(M)) = lam(AHn. subst(M@jjn)). 

This definition uses only the view of H as H*and is similar in spirit to wHOAS defi- 
nitions. We can also define substitution in FM-style using rec'. For the lam-case, we then 
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have subst(lam(M)) = new n. (let bindH(?T^, subst(M@Hti)) be w*" in (lam(r(;))*"). 
However, this definition is more complex than the first one, since it involves a unique 
choice of fresh names via new. In the first dehnition we could do without the choice of 
a fresh name by using AJj to ‘rebind’ the fresh name n. 

As a second example, we define the function computing the free variables of a term. 
This example makes essential use of the view of H as S*. We assume an inductive 
type L of lists of names, together with suitably dehned functions singleton : N — > L, 
concat : L ^ L ^ L, and remove : Hn:N. (L ^ |_*(n:N)^ Using rec, we can dehne 
fv : Lam ^ L to satisfy the equations 

fv(var(n)) = singleton(n) 
fv(app(M, iV)) = concat(fv(M), fv(A^)) 

fv(lam(M)) = let (Ayn. fv(M@n)) be n.ny in (remove n y) 

This example demonstrates how let-terms can be used for ‘pattern matching’ ele- 
ments of Hn. A. A similar pattern matching appears in FreshML. Moreover, the exam- 
ple shows that it is useful to mix the views of H as H* and S*. 

Note that, in the equation for lam, the subterm (remove n y) has type and 

that this freshness information is necessary for the let to be typeable. Intuitively, this is 
because the choice of representative n.y must not affect the computation. Dependency 
in the type of remove is therefore essential for the pattern matching in the definition 
of fv. Without dependency we could write remove with type N — > L ^ L, but then 
fv as above would not be typeable. Indeed, this problem arises in FreshML, where fv 
cannot be dehned using a remove function of this type (Nevertheless, fv can be dehned 
in FreshML). 

Again, we can use rec' to give an alternative dehnition of fv so that it satishes the 
equation fv(lam(M)) = new n. (remove n (fv(M@n))). Note that, by means of new, 
this encoding also uses the view of H as E*, and this is in fact essential. The Theory of 
Contexts, for example, axiomatises a ‘is not free in’-predicate rather than dehning fv. 



4 Discussion and Further Work 

We have introduced a bunched dependent type theory that integrates FM concepts for 
working with names and binding. 

One decision in the design of the bunches was to allow dependency for additive 
context extension but to forbid any dependency for multiplicative context extension. 
There are other possibilities for combining bunches and dependency. Pym [20, §15.15], 
for example, outlines a bunched dependent calculus allowing more dependency. The 
problem with using this for names and binding, which has lead us to the current design, 
is that it would require to generalise the monoidal product * to a monoidal product on 
the slices of S, and there seems to be no sensible way of doing this. 

We stress that, although the examples in this paper concentrate on programming, 
reasoning with names and binding can also be accommodated in the type theory. Indeed, 
it is possible to dehne a higher-order logic over the dependent type theory [12, §11]. 
In addition to the usual logical connectives, this logic also features the multiplicative 
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quantifiers 3* and V*, similar to Vnew and 3„ew from BI [20], as well as the freshness 
quantifier I/I. This higher-order logic supports reasoning with names similar to the The- 
ory of Contexts. For example, the Theory of Contexts has an ‘extensionality’ axiom, 
which may be expressed as F \ 3*n : N. =yi N@-nn) h (M =nn.A N), 

where M and N have type Hn. A and =a denotes Leibniz equality. Making essen- 
tial use of the equation (r/3), this sequent is derivable in the logic. In another direction, 
one may also ask how the logic relates to Nominal Logic [18]. For this it is necessary 
to consider swapping, an essential ingredient of Nominal Logic that is absent from the 
type theory. We briefly discuss the possibilities of adding swapping below. 

Another possibility for reasoning is to use dependent types to encode propositions 
as types. Alongside the usual encodings of V as II and 3 as S, one can encode V* as 
n*, 3* as S*, and I/I as H. Although such an encoding is possible, the use of 3* is very 
restricted, because the rules for S* use types of the form and, at least in this 

paper, we allow such types only when (p is closed. Considering a higher-order logic is a 
way of side-stepping this problem, since, because of Prop. 2.4, we have an equivalence 
of and (p, so that freefrom types can be avoided altogether in the logic. 

Although we have based our type theory on freshness rather than swapping, we 
nevertheless think that swapping can be useful in type theory. Swapping can be added 
to the type theory as a special kind of explicit substitution, as is done in [1, 23]. One 
application of swapping is to make available more information about the isomorphism 
= njij than is given by the commuting triangle in Prop. 2.3. The triangle only ex- 
plains the instantiation of u.hx at n. With swapping, we can explain the instantiation 
of ti-hx at names other than n by adding the equation (n.na;)@HW = (m n) • M. Fur- 
thermore, with swapping, we should get a logic close to Nominal Logic; see also [16]. 

Regarding the categorical semantics of the type theory, it is natural to ask how it com- 
pares to other categorical approaches to names and binding. Besides the Schanuel topos, 
two other categories used frequently [9, 4,5,...] for names and binding are Set^, where 
V is the category of finite cardinals and all functions between them, and Set'', where I 
is the category of finite cardinals and injections. However, neither category has all of the 
structure of Prop. 2. In Set^ names do not have decidable equality, whereas Set" does not 
have a freshness quantifier and not all the canonical maps A* B ^ Ax B are monomor- 
phic. In this light. Prop. 2 should be viewed as identifying the categorical structure un- 
derlying the work with names and binding, while for particular applications it may well 
be sufficient to have only some of this structure. Another example of such a substructure 
is Menni’s axiomatisation of binders [16]. Nevertheless, there are categories other than 
the Schanuel topos having the structure of Prop. 2. One such category is a variation of 
the Schanuel topos in which the elements are allowed to contain countably many names 
rather than just finitely many, see [18, p.l3]. There is also a realisability category having 
almost all of the structure of Prop. 2, the only restriction being that the type Ti*x:A. B 
can only be formed when A belongs to a certain restricted class of types (which includes 
all types with decidable equality). Moreover, this category models an impredicative uni- 
verse, so that it should provide the basis for a bunched calculus of constructions. 

There are many directions for further work. First, an immediate point requiring fur- 
ther work is the restriction that can only be formed for closed B. Second, the 

proof theory of the bunched type theory needs further work. Also, variants such as a 
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non-affine version of the type theory should he possible. Finally, algorithmic questions 
such as the decidability of type-checking should be considered. 

Acknowledgements. We would like to thank Alex Simpson and John Power for inter- 
esting discussions on this work. 
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Abstract. Using separation logic, this paper presents three Hoare logics 
(corresponding to different notions of correctness) for the simple While 
language extended with commands for heap access and modification. 
Properties of separating conjunction and separating implication are me- 
chanically verified and used to prove soundness and relative completeness 
of all three Hoare logics. The whole development, including a formal proof 
of the Frame Rule, is carried out in the theorem prover Isabelle/HOL. 
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1 Introduction 

Since C. A. R. Hoare’s seminal work in 1969 [9], extensions of his logic have been 
developed for a multitude of language constructs [1, 2], including recursive pro- 
cedures, nondeterminism, and even object-oriented languages. Extending Hoare 
logic to pointer programs however is not without difficulties. Recently separa- 
tion logic was proposed by O’Hearn, Reynolds et al. [15, 19, 16] to overcome the 
local reasoning problem that is raised by the treatment of record components as 
arrays [6, 5] . 

Machine support is indispensable for formal program verification. Manual 
proofs are error-prone, and the verification of medium-sized programs has be- 
come feasible only because systems like SVC [3] can automatically discharge 
many proof obligations. Separation logic, although its usability has been demon- 
strated in several case studies [18,4], currently lacks such support. In this paper 
we show how separation logic can be embedded into the theorem prover Is- 
abelle/HOL [14]. We thereby lay the foundations for the use of separation logic 
in a semi-automatic verification tool. Our work is based on a previous formaliza- 
tion of a simple imperative language [12] which however did not consider pointers 
or separation logic. The current focus is on fundamental semantic properties of 
the resulting Hoare logics. 

This paper is organized as follows. In Section 2 we define the programming 
language, together with its operational and denotational semantics. Section 3 
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introduces separation logic. In Section 4 we present three Hoare logics for our 
language, all of which are proved to be sound and relative complete. Also the 
Frame Rule is adressed, and its soundness is proved for one of the Hoare logics. 
We discuss the mechanical verification of a simple pointer algorithm, in-place 
list reversal, in Section 5. 

2 The Language 

2.1 Semantic Domains 

We use an unspecified type of variables. Addresses are elements of a numeri- 
cal type, namely naturals ( ), to permit address arithmetic. For simplicity, the 

same type is used for values. Thereby the value of a variable can immediately 
be used as an address, with no need for a conversion function (cf. [16]). 

Stores map variables to values. Heaps are modelled as partial functions from 
addresses to values. Other possibilities would be to define heaps as subsets of 
X , (with functionality constraints), or as ( . . x ^ (again with 

functionality constraints, and modulo order). However, our current definition is 
much easier to state and work with in Isabelle/HOL since it can make use of 
readily available function types and does not require subtyping. On the other 
hand it also permits infinite heaps. This seemingly minor difference will become 
important again in Section 4.4, when we consider the Frame Rule. 

A program state is either a pair consisting of a store and a heap, or 
The latter value will be used in the semantics of the language to indicate that 
a memory error occurred during program execution. Arithmetic and boolean 
expressions are only modelled semantically: they are just functions on stores 
(and hence independent of the heap). 

Most of Isabelle’s syntax used in this paper is close to standard mathematical 
notation and should not require further explanation. Both and — > mean 
implication. | i ; . . . ; „ ] is an abbreviation for i „ 

. We use ' ' for the type of total functions from ' to ' . Likewise, 

infix ^ is used to denote the type of partial functions. Other type constructors, 
e.g. , , are written postfix. Thus the abovementioned semantic domains can be 

formalized as follows: 

types addr = nat 
val = nat 
store = var ^ val 
heap = addr val 
state = {store x heap) option 
aexp = store => val 
hexp = store => bool 

2.2 Syntax 

We consider an extension of the simple While language [9, 12] with new com- 
mands for memory allocation (list, alloc), heap lookup, heap mutation, and mem- 
ory deallocation (dispose). 
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Both list and alloc allocate memory on the heap, list can only be used when 
the number of addresses to be allocated is known beforehand, i.e. for allocation 
of fixed-size records. The list command takes a list of arithmetic expressions as 
its second argument. The number of consecutive addresses to be allocated is 
given by the length of the list; the allocated memory is then initialized with the 
values of the expressions in the list, alloc on the other hand is meant for dynamic 
allocation of arrays. Its second argument is a single arithmetic expression that 
specifies the number of consecutive addresses to be allocated. The allocated 
memory is initialized with arbitrary values. 

The lookup command assigns the value of an (allocated) address to a variable, 
the heap mutation command modifies the value of the heap at a given address, 
and dispose finally deallocates a single address. The precise operational semantics 
is given in Section 2.4. 



2.3 Basic Operations on Heaps 

Before we can define the semantics of our language, we need to introduce some 
basic operations on heaps. We define four functions to retrieve the value of a 
heap at a specific address, remove an address from the domain of a heap, test 
whether a set of addresses is free in a heap, and update a set of consecutive 
addresses in a heap with specific values. To some extent these functions allow us 
to abstract from our particular implementation of heaps as partial functions. 

heap-lookup :: heap => addr val 
heap-lookup h a = the (h a) 
heap-remove :: heap => addr => heap 
heap-remove h a = h{a~None) 
heap-isfree :: heap addr => nat bool 
heap-isfree h a n = set [a..a-|-n(] n dom = {} 
heap-update :: heap => addr => (val list) ^ heap 
heap-update h a vs = h([a..a-\- length dsQ 

Later we will also need notions of disjointness and union for heaps in order 
to define separating conjunction and separating implication. We say two heaps 
(or more generally, two partial functions) are - , . , , , ixi, iff their domains are 
disjoint. 

f txi g = dom f n dom 5 = {} 

The ^ ^ ^ of heaps, -I— 1-, is defined as one would expect, with the second 
heap having precedence over the first. 

f-\--hg = \x. case g X of None => / a: | Some y => Some y 

We will only take the union of disjoint heaps however, and for those, -I— I- is 
commutative: 

Lemma, f g f ++ g ^ g ++ f 
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2.4 Operational Semantics 

The operational semantics of our language is defined via a (big-step) evaluation 
relation — We write ( , ) — for i - , , / • ■ ' 

, ^ ^ ^ . This evaluation relation is defined inductively. 

(c,None) — >c None 

(skip, Some (s,h)) — >c Some (s,h) 

{x ■.== a, Some (s,h)) — >c Some (s[®i-^a s],/i) 

{cO,s) — >c s" => {cl,s") — >c s'=> (cO; cl, s) — >c s' 
b s ==> {cO,Some {s,h)) — >c s' => (if b then cO else cl, Some (s,h)) — >c s' 

-^b s => {cl , Some (s,h)) — >c s' => (if b then cO else cl. Some (s,h)) — >c s' 
b s (c,Some {s,h)) — >c s" (while b do c, s") — >c s' 

=> (while b do c, Some (s,h)) — >c s' 

^b s => (while b do c,Some (s,h)} — >c Some (s,h) 

I heap-isfree h a {length as); vs = map (Ae. e s) as ] 

=> {x :== list as, Some {s,h)} — >c Some (s[xi-^a], heap-update h a vs) 

(V a. -■ heap-isfree h a {length as)) => {x :—= list as, Some {s,h)) — >c None 
{heap-isfree h a {n s) A {length vs = n s)) 

=> {x :== alloc n. Some {s,h)} — >c Some (s[®i-^a], heap-update h a vs) 

(V a. -1 heap-isfree h a {n s)) {x :== alloc n. Some {s,h)} — >c None 
a s € dom h => {x :== @a,Some (s,h)} — >c Some {s[xi-^ heap-lookup h {a s)],/i) 

a s ^ dom h {x :== @a,Some {s,h)) — >c None 

a s (z dom h (@a ;== v,Some {s,h)) — >c Some {s , heap-update h {a s) [t; s]) 

a s ^ dom h {@a :== v,Some (s,h)) — >c None 

a s € dom h => (dispose a, Some {s,h)} — >c Some {s , heap-remove h {a s)) 
o s ^ dom h => (dispose a, Some {s,h)} — >c None 

The rules for skip, assignment, composition, if, and while are standard, and 
only shown for completeness. The rules for the pointer commands come in pairs, 
with one rule leading to a valid successor state, the other one to the error state 
. Which rule can be applied depends on the current heap. Allocating mem- 
ory in a heap that does not have enough free addresses will result in an error, 
as will the attempt to access, modify, or deallocate free addresses. 

With the exception of the first rule, these rules are all syntax directed (i.e. 
applicable only to a specific command). The first rule is needed to ensure that 
programs “don’t get stuck” when an error occurred. For the same reason it is 
important that we do not restrict the rule for sequential composition to valid 
states. 

Nondeterminism is introduced by the rules for list and alloc. Both commands 
choose an arbitrary sequence of (consecutive) free addresses for the newly allo- 
cated memory. Furthermore, alloc initializes this memory with arbitrary values. 



2.5 Denotational Semantics 

In addition to the operational semantics, we also define the denotational se- 
mantics of commands. We will show that both semantics are equivalent, thus we 
could (in principle) do without a denotational semantics. However, we found that 
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the denotational semantics, and in particular its fixed point characterization of 
while, is often easier to work with than the operational semantics. It enables us to 
prove semantic properties by induction on commands, rather than by induction 
on the evaluation relation. The denotational semantics of a command is given 
by a set of pairs of states. 

types com-den = (state x state) set 

The following function F is used to define the semantics of the while command 
as a least fixed point. The operator denotes relational composition. 

r :: bexp => com-den => (com-den com-den) 

r b cd = (X(fi. 

{ (Some(s ,h) ,t) \ s h t. (Some(s,h),t) G (ip O cd) A & s } U 
{ (Some(s,h),Some(s,h)) | s /i. ->6 s } U 
{ (None, None) }) 

The meaning function ^ , which maps each command to its denotational 
semantics, is now defined by primitive recursion. 

C skip = Id 

C (x :== a) = { (Some(s,h),Some(s[xi—>a s],/i)) | s h. True } U 
{ (None, None) } 

C (cO;cl) = C(cl) O C(cO) 

C (if b then cl else c2) = { (Some(s,h),t) \ s h t. (Some(s,h),t) GCclAbs}U 
{ (Some(s,h),t) \ s h t. (Some(s,h),t) G C c2 A ^b s } VJ 
{ (None, None) } 

C (while 6 do c) = Ifp (F b (C c)) 

C (x :== list as) = { (Some(s ,h) ,Some(s\xe^ a],heap-update h a (map (Ae. e s) as))) 

\ s h a. heap-isfree h a (length as) } U 
{ (Some(s,h),None) | s /i. V a. ^ heap-isfree h a (length as) } U 
{ (None, None) } 

C (x ~= alloc n) = { (Some(s,h),Some(s[xr^a\,heap-update h a vs)) 

I s h a vs. heap-isfree h a (n s) A (length t;s = n s) } U 
{ (Some(s,h),None) \ s h.'i a. heap-isfree a (n s) } U 
{ (None, None) } 

C (x :== @ffl) = { (Some(s ,h) ,Some(s\xr^heap-lookup h (a s)],/i)) 

\ s h. a s G dom h } U 
{ (Some(s,h),None) \ s h. a s ^ dom h } U 
{ (None, None) } 

C (@a :== v) = { (Some(s,h),Some(s, heap-update h (a s) [d s])) 

\ s h. a s G dom h } U 
{ (Some(s,h),None) \ s h. a s ^ dom } U 
{ (None, None) } 

C (dispose o) = { (Some(s ,h) ,Some(s , heap-remove h (a s))) | s h. a s G dom h } U 
{ (Some(s,h),None) \ s h. a s ^ dom h } U 
{ (None, None) } 

By induction on — >c, one can show that ( ) — >c implies ( , ) € , 

The other direction, i.e. ( , ) & , ( ,, ) — >c , is shown by induction 

on . For both directions, only the while case is not automatic (but still fairly 
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simple). Taking these two results together, we obtain equivalence of denotational 
and operational semantics: 

Theorem. (s,t) G C(c) = ((c,s) — >c t) 

We will freely use this result in the following proofs whenever it is more 
convenient to reason using a particular semantics. 



3 Assertions of Separation Logic 

We only model the semantics of assertions, not their syntax. Assertions are 
predicates on stores and heaps: 

types assn = store => heap => bool 

This semantic approach (or ^ ■--/') entails that any HOL term 

of the correct type can be used as an assertion, not just formulae of separation 
logic. If we had modelled assertions syntactically, we would have had to redefine 
most of HOL’s logical connectives (including classical conjunction, implication, 
and first-order quantification), and the explicit definition of a formula’s seman- 
tics would have introduced another layer of abstraction between separation logic 
and the lemmata and proof automation available in HOL. Our current defini- 
tion on the other hand allows us to consider separation logic as an extension 
of higher-order logic, thereby giving us the features of HOL (almost) for free. 
The main drawback for our purposes is perhaps an esthetic one: when mixing 
classical and separating connectives, we have to use A-abstractions to make their 
types compatible (cf. Section 3.1). A more detailed discussion of the respective 
strengths and weaknesses of shallow vs. . embeddings is forthcoming [17]. 

Let us now introduce some abbreviations. , asserts that the heap is empty 
(i.e. that no address is allocated), and i-^- is true of a heap iff is the only 
allocated address, and it points to the value . 

emp h = dom = {} 

(ai—>v) h = dom /i = {a} A heap-lookup h a = v 

Separation logic has two special connectives, separating conjunction (A*) 
and separating implication (— *). A* states that the heap can be split 
into disjoint parts satisfying and , respectively. — * is true of a heap 

iff holds for every extension of with a disjoint part that satisfies 
These connectives are defined using quantification over heaps. The definitional 
approach allows us to ^ their properties, rather than to introduce them as 
new axioms. 

sep-conj :: (heap bool) (heap => bool) heap bool (inflxl A*) 

(P A* Q) h = 3h' h". (h' ixi h") A (h' -t-t h" = h) A P h' A Q h" 



sep-imp :: (heap => bool) ^ (heap => bool) => heap => bool (infixr — *) 
(P -* Q) h=yh'. ((h' CXI /i) A P /i') — > Q (h -t+ h') 
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Although assertions of separation logic may depend on the store, they usu- 
ally do so only in a completely homomorphic fashion (cf. [16]). Therefore this 
dependency can easily be eliminated from compound formulae, and it is sufficient 
to define separating conjunction and implication for predicates of type ^ 

, ^ ^ . Further assertions denote that a heap contains exactly one allocated ad- 
dress (written >-^— ), and that an address points to a value , where other 
addresses in the heap may be allocated as well ( ^ ) • Using address arithmetic 
( is the successor function on naturals), we extend these notions to lists of 
values. 

(ai-^— ) h = 3v. (ai—>v) h 
(a^v) = (ai—>v) A* true 

(“MID = emp 

(o[i-^](t;#r;s)) = ((ai-^v) A* ((Sue a)[i-^]«;s)) 

(qMD) = irue 

(o[^](ri#t;s)) = ((a^v) A* ((Sue o)[^]ris)) 

3.1 Properties of Separating Conjunction and Separating 
Implication 

We can relatively easily prove associativity and commutativity of A*, identity of 
under A*, and various distributive and semidistributive laws. Most of the 
proofs are automatic; sometimes however we need to manually instantiate the 
existential quantifiers obtained by unfolding the definition of A*. 

Lemma. P A* (Q A* R) = (P A* Q) A* R 
Lemma. P A* Q = Q A* P 
Lemma, emp A* P = P 
Lemma. P A* emp = P 

Lemma. ((Xh. P h \/ Q h) A* R) h = (P A* R) h \/ (Q A* R) h 
Lemma. ((Xh. P h A Q h) A* R) h — > ((P A* R) h A (Q A* R) h) 

Lemma. ((Xh. 3 x. P x h) A* Q) h = (3 x. (P x A* Q) h) 

Lemma. ({Xh. \/ x. P x h) A* Q) h — > (V x. (P x A* Q) h) 

Lemma, [y h. P h — ^ P' h-yh. Q h — ^ Q' h \ ^ (P A* Q) h — > (P' A* Q') h 

Lemma. [ V /i. (P A* Q) h — > R h J => P h — > (Q — * R) h 
Lemma. [ V /i. P h — > (Q — * R) h ^ (P A* Q) h — > R h 

Following Reynolds [16], we have also defined , ^ ^ ^ ^ ^ 

I , and ^ I assertions, and proved many of their properties. Our 

growing library of lemmata serves as a basis for verification proofs and increased 
proof automation. 



4 Hoare Logics 

4.1 Partial Correctness 

In this subsection we present a Hoare logic for partial correctness. We say a Hoare 
triple { } { } is , . , \=p, iff every terminating execution of that starts in 
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a valid state (i.e. in a state of the form. ^ , ( , )) satisfying the precondition 

ends up in a state that satisfies , , , , , a memory error occurs. 

K {P}c{Q} = 

\/ s h s' h' . {Some {s,h), Some {s',h')) G C(c) — > P s h — > Q s' h' 

Hence there are two ways in which a Hoare triple can be trivially valid: , 
when executed in a state that satisfies the precondition, ) does not terminate 
at all, or ) only terminates in the error state ^ ^ 

. , . , hp, of Hoare triples is defined inductively. The following set of 
Hoare rules is both sound and relative complete with respect to the notion of 
validity defined above. 

hp {P} skip {P} 

\-p {As h. P (s[a;i-^(a s)]) h} x:==a {P} 

[ hp {P}c{Q}; hp {Q}d{R} I ^ hp {P} c-,d {R} 

[ hp {As h. P s h A b s}c{(5}; hp {As h. P s h A s}d{(5} ] => 
hp {P} if b then c else d {Q} 
hp {As h. P s h A b s} c {P} => 

hp {P} while 6 do c {As h. P s h A ~<b s} 
hp {As h. (Vo. {{a[i—>]{map (Ae. e s) os)) — * (P (s[a;i-^a]))) /i)} 

X :=— list as {P} 

hp {As h. (V a vs. {length vs = n s) — > ((o[i-^]t;s) — * (P (s[xh^q]))) h)} 

X alloc n {P} 

hp {As h. {a s G dom h) — > P {s[xi-^ heap-lookup h {a s)]) h} x :== @a {P} 

hp {As h. {a s G dom h) — > P s {heap-update h {a s) [t; s])} @a :== v {P} 

hp {As h. {a s G dom h) — > P s {heap-remove h {a s))} dispose a {P} 

I'is h. P' sh — > P sh-\-p {P}c{Q}; \f s h. Q s h — > Q' shj=^ 

hp {P'}c{Q'} 

Soundness is proved by a straightforward induction on hp. The only nontrivial 
case is the while rule; it requires fixed point induction. 

Theorem, hp {P}c{Q} \=p {P}c{Q} 

To prove completeness, we employ the notion of C >) 

,,, [ 8 ]- 



wp :: com assn => assn 

wp c Q = \s h. (Vs' h'. {Some {s,h), Some{s',h')) G C{c) — > Q s' h') 

The key to the completeness proof is a lemma stating that Hoare triples 
of the form { } { } Eire derivable. The lemma is proved by induction 

on . 

Lemma. V Q. hp {wp c Q} c {Q} 

From this, relative completeness of the Hoare rules follows easily with the 
rule of consequence. 



Theorem. j=p {P}c{Q} => hp {P}c{Q} 
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4.2 Tight Specifications 

The Hoare logic from Section 4.1 does not guarantee the absence of memory 
errors. We now consider a slightly different Hoare logic for partial correctness, 
which perhaps better reflects the principle that “well-specified programs don’t 
go wrong” [16]. In this logic, a Hoare triple { } { } is , - , \=t, iff every 
terminating execution of that starts in a valid state satisfying ends up in a 
valid state satisfying . 

H {P}c{Q} = 

y s h. {{P s h — > (Some (s,h), None) ^ C(c)) 

A (V s' h'. (Some (s,h), Some (s',h')) £ C(c) — > P s h — > Q s' h')) 

Compared to the previous Hoare logic, we have added a safety constraint 
expressing that the error state ^ ^ must be unreachable. Specifications are 
now “ . ” in the sense that every address accessed by must either be men- 

tioned in the precondition, or allocated by before it is used (in which case the 
precondition must ensure the existence of a free address) . 

Of course the preconditions in our Hoare rules must be modified to reflect this 
change in the definition of validity. The rules for skip, assignment, composition, 
if, and while, as well as the consequence rule, remain unchanged; therefore they 
are not shown below. The rules for list, alloc, lookup, mutate, and dispose however 
now have preconditions which consist of two parts: one guaranteeing the absence 
of an error, and the other one guaranteeing that the postcondition will hold in 
all reachable states. 

\~t {As h. (3 a. heap-isfree h a (length as)) A (V a. ((a[t-P\(map (Ae. e s) as)) 

— * (P (s[®i-^a]))) h)} X :== list as {P} 

\~t {As h. (3 a. heap-isfree h a (n s)) A (V a vs. (length vs = n s) 

— > ((a[i-^]t)s) — * (P (s[si-^a]))) h)} x :== alloc n {P} 

\~t {As h. (3 t;. ((a s)^v) h A P (s[®i-^t;]) h)} x :== @a {P} 

\~t {As h. ((a s)h^— a* (((a s)i-^(v s)) — * P s)) h} @a :== v {P} 

\~t {As h. ((a s)h^— a* P s) h} dispose a {P} 

These rules are similar to the ones presented in [16], with the exception that 
for list and alloc, we need to assert the existence of available memory in the 
precondition. (In [16], free heap cells are guaranteed to exist because heaps are 
always finite.) 

Using similar techniques as before - in particular, induction on \~t and a suit- 
ably modified notion of weakest liberal preconditions - we can prove soundness 
and relative completeness of this Hoare logic. Both properties are slightly more 
difficult to prove than for the logic in Section 4.1, since we do not just have to 
deal with the postcondition, but also with the safety constraint. 

Theorem. (|=t {P}c{(3}) = (ht {P}c{(3}) 

4.3 Total Correctness 

So far we have only considered partial correctness, where a Hoare triple is valid iff 
every reachable state satisfies the postcondition. If we also want to take termina- 
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tion into account, we need to define a judgment J, ^ that expresses guaranteed 
termination of started in state ^ . The Hoare rules then differ from those for par- 
tial correctness only in the one place where nontermination can arise: the while 
rule. For the simple While language, the details have been carried out in [13]. 
Since the new pointer commands always terminate, the development would be 
almost identical for our extended language. 

4.4 The Ftame Rule 

In Hoare logic for the simple While language, one can show that if 
then A } { A }, provided that no variables modified by occur free in 
. Under certain conditions (cf. the discussion in [19]), separation logic allows 
us to obtain a similar rule for our extended language: 

H } { } ^ H A* } { A* } , 

with the same syntactic side condition on . This , , is essential for 

modular verification, in particular in the presence of procedures. Unfortunately 
however, the Frame Rule does not hold in the two previously defined Hoare 
logics. As counterexamples consider 

\=p { . } dispose (A . ) {, ,, } 

{ . A* } dispose (A . ) A* }) 

for the Hoare logic in Section 4.1, and 

K { . } ' :==alloc (A . ) { } 

{ ■ A* } ’ :==alloc (A • ) { A* } 

for the logic in Section 4.2. The reason why the Frame Rule does not hold in the 
second Hoare logic is that this logic, when used with potentially infinite heaps, 
does not validate , ^ , [19]. Safety monotonicity means that if 

executing in a state with heap is safe (i.e. cannot lead to ^ ^ ), then 

executing in a state with an extended heap -I— I- (for t<3 ) must be 

safe as well. This is in particular false for list and alloc, since there may not be 
enough free addresses left in the extended heap. 

We could restore safety monotonicity by only considering finite heaps, as done 
in existing work on separation logic [16, 19]. Combined with an infinite contigu- 
ous address space, memory allocation will then always succeed. We note however 
that a slightly weaker property is sufficient to establish safety monotonicity: 
namely that heaps contain arbitrary long sequences of unallocated addresses. 
(Reynolds imposes an equivalent, but more complicated condition on the set of 
addresses in [16].) This motivates a Hoare logic where we only consider such 
, ^ . heaps. 

lacunary /i = V n. 3 a. heap-isfree h a n 

Clearly every finite heap is lacunary, and every heap whose domain is con- 
tained in the domain of a lacunary heap is itself lacunary. Furthermore, lacunar- 
ity is invariant under execution of commands. This can be shown by induction 
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on the evaluation relation — >(.■, with the rules for list, alloc, and dispose being 
the more interesting cases. Unlike finiteness however, lacunarity is not preserved 
under union of heaps. 

Lemma, finite {dom h) => lacunary h 

Lemma. [ dom h C dom h'; lacunary h' ] lacunary h 

Lemma. {c,Somc {s,h)} — >c Some {s',h') => lacunary h' = lacunary h 

Based on the concept of lacunary heaps, we define yet another notion of 
validity, \=i, for Hoare triples. The requirements are exactly the same as for \=t 
(i.e. the postcondition must hold in every reachable valid state, and the error 
state ^ ^ must be unreachable), but for \=i, they need to hold only if the initial 
heap is lacunary. 

\=i {P}c{Q} = 

y s h. lacunary h — > {{P s h — > {Some {s,h), None) ^ C'(c)) 

A (V s' h'. {Some {s,h), Some {s',h')) e C{c) — > P s h — > Q s' h')) 

A set of sound and relative complete Hoare rules is obtained by modifying 
the preconditions in the rules for skip, assignment, list, alloc, lookup, mutate, and 
dispose accordingly. The rules for list and alloc can then be simplified a little, 
since lacunarity already implies the existence of free addresses. The rules for 
composition, if, and while are the same as for hj. To prove completeness of the 
while rule, however, we need to strengthen the consequence rule. 

\~i {As h. lacunary h — > P s h} skip {P} 

hi {As h. lacunary h — > P (s[xh^(o s)]) h} x:==a {P} 

h; {As h. lacunary h — > (V a. {{a[i—>]{map (Ae. e s) as)) 

— * {Xhh. (P (s[®i-^a]) hh))) h)} x :== list as {P} 
hi {As h. lacunary h — > (V a vs. {length vs = n s) 

— > ((a[i-^]t)s) — * {Xhh. (P (s[ii-^a]) hh))) h)} x alloc n {P} 
hi {As h. lacunary h — > (3 ti. {{a s)^v) h A P (s[xi-^ti]) h)} x :== @a {P} 
hi {As h. lacunary h — > {{a s)i—>— A* {{{a s)i-^{v s)) —* P s)) h} 

@a :== V {P} 

hi {As h. lacunary h — > {{a s)h^— A* P s) h} dispose a {P} 

[ Vs ft. lacunary ft — > P' s h — > P s ft; hi {P}c{Q}; 

y s h. lacunary ft — > Q sh — > Q' s ft ] => hi {P'}c{Q'} 

As usual, soundness is proved by induction on h;, and relative complete- 
ness is proved using (an adapted notion of) weakest liberal preconditions. The 
abovementioned properties of lacunary heaps are used in both directions of the 
proof. 

Theorem. (|=i {P}c{Q}) = (hi {P}c{<3}) 

4.5 Proving the Frame Rule 

The proof of the Frame Rule presented in this subsection is largely based on [19]. 
Since we did not specify the syntax of assertions, our first step must be a semantic 
version of the Frame Rule’s side condition. The set of variables that are , ^ . 
by a command is defined as follows. 
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ModifiedVars skip = {} 

ModifiedVars (x:==a) = {x} 

ModifiedVars {cl\c2) = ModifiedVars cl U ModifiedVars c2 

ModifiedVars (if b then cl eise c2) = ModifiedVars cl U ModifiedVars c2 
ModifiedVars (whiie fc do c) = ModifiedVars c 

ModifiedVars {x :== iist as) = {x} 

ModifiedVars {x :== aiioc n) = {*} 

ModifiedVars {x :== @a) = {x} 

ModifiedVars (@o :== v) = {} 

ModifiedVars (dispose a) = {} 

By induction on , one can show that for < (ji ^ ^ , the value of i 

is invariant under execution of . 

Lemma. V s h s' h'. {Some (s,h), Some {s',h')) £ C(c) — > x (f: ModifiedVars(c) 

— > {s x = s' x) 

We say an assertion is , - , - , of a set of variables . , written . I5 , iff 

does not depend on the value of variables in . . 

SifP = V s s'. {V X. X ^ S — > s X = s' x) — > {P s = P s') 

The key lemma is now proved by induction on . It states that a memory 
error occuring in a lacunary heap can also occur in every subheap, and a valid 
execution either has a corresponding “restricted” execution in the subheap, or 
it corresponds to a memory error. 

Lemma. V s hi h2 s' h'. hl:><ih2 

— > (lacunary (hl++h2) — > (Some (s,hl++h2), None) £ C{c) 

— > (Some (s,hl), None) £ C{c)) 

A {{Some {s,hl++h2), Some{s',h')) £ C{c) 

— > {Some (s,hl), None) £ C(c) 

V {3hl'. hl'ixih2 A hl'++h2 = h' A {Some (s,hl), Some{s',hl ')) £ C(c))) 

Both safety monotonicity and the , , ^ ^ [19] follow immediately. 

Lemma. [ hl:><ih2 ; lacunary {hi ++h2) ; {Some (s,hl), None) ^ C(c) ] 

=> {Some (s,hl++h2), None) ^ C'(c) 

Lemma. [ hltxih2 ; {Some (s,hl), None) (f: C{c) ; 

{Some {s,hl-\--\-h2), Some{s',h')) £ C(c) ] 

=> 3 hi', hi 'txih2 A hl'++h2 = h' A {Some (s,hl), Some{s',hl ')) £ C(c) 

Finally we can prove the Frame Rule. Safety monotonicity is used to show 
that the error state is unreachable, and the frame property proves that every 
reachable state satisfies the postcondition. 

Theorem. [ [=; {P}c{Q}', {ModifiedVars c)ifR ] 

=> \=i {As h. {P s A* R s) /i}c{As h. {Q s A* R s) h} 

5 Example: In-place List Reversal 

To evaluate the practical applicability of our framework, we verify an in-place 
list reversal algorithm. This relatively simple algorithm has been considered 
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before [6,5], also by Reynolds [16], who gave an (informal) correctness proof 
using separation logic, and by Mehta and Nipkow [11], who formally verified the 
algorithm in Isabelle/HOL, but without separation logic. The actual algorithm 
is shown below. , . and are variables: contains a pointer to the current 

(initially, the first) list cell, . contains a pointer to the previous list cell (initially 
and , which is initialized at the beginning of the loop body, contains 
a pointer to the next list cell. ^ ,, is just an abbreviation for , rather than 
a distinguished address. This resembles the treatment of the pointer in 

(e.g.) C [10]. 

reverse i j k = 

{j :== (As. null))', (* initially, there is no previous list cell *) 

while (As. s i 7 ^ null) do (* end of list reached? *) 

((((fc :== @(As. Sue (s i))); (* the next list cell *) 

(@(As. Sue (s i)) :== (As. s j))); (* update pointer to next cell *) 

{j :== (As. s i)))', (* previous :== current *) 

(i :== (As. s k))) (* current :== next *) 

The corresponding specification theorem states that if , . , and are distinct 
and points to a list ^ , then after execution of ^ • j • will point to the 

reversed list. 



Theorem. |=t { As h. heap-list vs {s i) h A distinct [i,j,k] } 
reverse i j k 

{ As h. heap-list {rev vs) {s j) h } 

The predicate , relates singly linked linear lists on the heap to Is- 
abelle/HOL lists. / , , is true iff the heap contains a singly linked 

linear list whose cells contain the values ^ , and whose first cell is at address . 

heap-list [] a h = {{a = null) A emp h) 

heap-list (vffvs) ah = {{a ^ null) A {3k. ((a[i-^][t;,fc]) A* heap-list vs k) h)) 



To prove the specification, we use soundness of \~t and apply appropriate 
Hoare rules until we are left with three verification conditions: namely that the 
precondition, after execution of. :== (A . ^ implies the loop invariant 

(3y y.( A ( )A* . , A ( • )) A ( ,) = ( ,,)@,J 



A . 



that the loop invariant is preserved during execution of the loop body, and finally 
that the loop invariant, together with ^ ^ ,,, implies the postcondition. 

Lemma, heap-list vs a h =A> 3 ys. {heap-list ys null A* heap-list xs a) h 
A rev vs = rev xs @ ys 

Lemma, {heap-list ys j A* heap-list {x ff xs) i) h 

{heap-list xs {heap-lookup h {Sue i)) A* heap-list {x ff ys) i) 

{heap-update h {Sue i) [j]) 

Lemma, {heap-list xs null A* heap-list ys a) h heap-list {rev xs @ ys) a h 



The first and last lemma are easily proved with the help of simple properties 
of , ^ . The proof of the second lemma is more difficult. Using the definition 
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of separating conjunction, we obtain disjoint subheaps ' and " of with 
, ^ ^ . ' and , ^ ('#',) " ■ The conclusion can then be shown by 

splitting _ (. ) [ ] into the two disjoint heaps ■ 

:= ) and '( Overall the separation logic proof is slightly 

less automatic than the proof in [11]. 

At the moment, the proof strategy employed here seems to be characteristic 
of formal program verification with separation logic. First Hoare rules are used 
to obtain a set of verification conditions; this step could easily be automated for 
programs with loop annotations. Some of the verification conditions can then 
be shown using simple algebraic properties (e.g. commutativity, associativity) of 
separating conjunction and implication and the involved predicates, while others 
presently require semantic arguments. Although it is known that separation logic 
is not finitely axiomatizable [7], we hope that further case studies will allow us 
to identify other useful laws of the separating connectives, so that the need for 
(usually involved) semantic arguments can be minimized. 



6 Conclusions and Future Work 

This work is a first step towards the use of separation logic in machine-assisted 
program verification. We have mechanically verified semantic properties of sep- 
aration logic, and presented three different Hoare logics for pointer programs, 
all of which we proved sound and relative complete. The whole development, in- 
cluding a formal proof of the Frame Rule, was carried out in the semi-automatic 
theorem prover Isabelle/HOL. 

From our experience, separation logic can be a useful tool to state program 
specifications in a short and elegant way. At this time, however, the advantage 
of concise specifications comes with a cost: verification proofs, when carried out 
at the level of detail that is required for mechanical verification, tend to become 
more intricate and less automatic. Further work is necessary to achieve a better 
integration of separation logic into the existing Isabelle/HOL framework, and to 
increase the degree of proof automation for the connectives of separation logic. 

More immediate aims are a verification condition generator for an annotated 
version of the language, some syntactic sugar for the connectives of separation 
logic, and extensions to the programming language, e.g. recursive procedures 
and concurrency. 

, . , , ^ ^ The author would like to thank Tobias Nipkow, Farhad Mehta 

and the anonymous referees for their valuable comments. 
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Abstract. We consider a scenario where (functional) programs in pre-compiled 
form are exchanged among untrusted parties. Our contribution is a system of 
annotations for the code that can be verified at load time so as to ensure bounds 
on the time and space resources required for its execution, as well as to guarantee 
the usual integrity properties. 

Specifically, we define a simple stack machine for a first-order functional 
language and show how to perform type, size, and termination verifications at the 
level of the bytecode of the machine. In particular, we show that a combination 
of size verification based on quasi-interpretations and of termination verification 
based on lexicographic path orders leads to an explicit bound on the space re- 
quired for the execution. 



1 Introduction 

Research on mobile code has been a hot topic since the late 90’s with many propos- 
als building on the Java platform. Application scenarios include, for instance, pro- 
grammable switches, network games, and applications for smart cards. A prevailing 
conclusion is that security issues are one of the fundamental problems that still have to 
be solved before mobile code can become a well-established and well-accepted tech- 
nology. Initial proposals have focused on the integrity properties of the execution envi- 
ronment such as the absence of memory faults. In this paper, we consider an additional 
property of interest to guarantee the safety of a mobile code, that is, ensuring bounds 
on the (computational) resources needed for the execution of the code. 

The interest of carrying on such analyses at bytecode level are now well under- 
stood [15, 16]. First, mobile code is shipped around in pre-compiled (or bytecode) form 
and needs to be analysed as such. Second, compilation is an error prone process and 
therefore it seems safer to perform static analyses at the level of the bytecode rather 
than at source level. In particular, we can reduce the size of the trusted code base and 
shift from the reliance on the correctness of the whole compilation chain to only the 
trust on the analyser. 

Approach. The problem of bounding the usage made by programs of their resources 
has already attracted considerable attention. Automatic extraction of resource bounds 
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has mainly focused on (first-order) functional languages starting from Cobham’s char- 
acterisation [7] of polynomial time functions by bounded recursion on notation. Follow- 
ing work, see e.g., [4,8,9, 11], has developed various inference techniques that allow 
for efficient analyses while capturing a sufficiently large range of practical algorithms. 

We consider a rather standard first-order functional programming language with in- 
ductive types, pattern matching, and call-by value, that can be regarded as a fragment of 
various ML dialects. The language is also quite close to term rewriting systems (TRS) 
with constructor symbols. The language comes with three main varieties of static anal- 
yses: (i) a standard type analysis, (ii) an analysis of the size of the computed values 
based on the notion of quasi-interpretation, and (iii) an analysis that ensures termina- 
tion; among the many available techniques we select here recursive path orderings. 

The last two analyses, and in particular their combination, are instrumental to the 
prediction of the space and time required for the execution of a program as a function of 
the size of the input data. For instance, it is known [5] that a program admitting a poly- 
nomially bound quasi-interpretation and terminating by lexicographic path-ordering 
runs in polynomial space. This and other results can be regarded as generalisations 
and variations over Cobham’s characterisation. 

Contribution. The synthesis of termination orderings is a classical topic in term rewrit- 
ing (see for instance [6]). The synthesis of quasi-interpretations — a concept introduced 
by Marion et al. [13] — is connected to the synthesis of polynomial interpretations for 
termination but it is generally easier because inequalities do not need to be strict and 
small degree polynomials are often enough [2]. We will not address synthesis issues 
in this paper. We suppose that the bytecode comes with annotations such as types and 
polynomial interpretations of function symbols and orders on function symbols. 

We define a simple stack machine for a hrst-order functional language and show 
how to perform type, size, and termination verihcations at the level of the bytecode of 
the machine. These verihcations rely on certihable annotations of the bytecode — we 
follow here the classical viewpoint that a program may originate from a malicious party 
and does not necessarily result from the compilation of a well-formed program. 

Our main goal is to determine how these annotations have to be formulated and 
verified in order to entail size bounds and termination at bytecode level, i.e., at the level 
of an assembler-like code produced by a compiler and executable on a simple stack 
machine. We carry on this program up to the point where it is possible to verify that a 
given bytecode will run in polynomial space thus providing a translation of the result 
mentioned above at byte code level. Beyond proving that a program “is in PSPACE” 
we extract a polynomial that bounds the size needed to run a program: given a function 
(identiher) / of arity n in a verihed program, we obtain a polynomial q{x \, . . . , Xn) 
such that for all values ui , . . . , of the appropriate types, the size needed for the 
evaluation of the call f{v\, . . . , u„) is bounded by g(|ui|, . . . , |un|), where |u| is the 
size of the value v. 

A secondary goal of our work is of a pedagogical nature: present a minimal — 
the virtual machine includes only 6 instructions — but still relevant scenario in which 
problems connected to bytecode verihcation can be effectively discussed. 

Our approach to resource bound certification follows distinctive design decisions. 
First, we allow the space needed for the execution of a program to vary depending on 
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the size of its arguments. This is in contrast to most approaches that try to enforce 
a constant space bound. While this latter goal is reasonable for applications targeting 
embedded devices, we believe that it is not always relevant in the context of mobile 
code. Second, our method is applicable to a large class of algorithms and do not im- 
pose specific syntactical restrictions on programs. For example, we depart from works 
based on a linear usage of variables [8]. Given the specificities of our method, we may 
often ensure bounds on resources where other methods fail, but we may also give very 
rough estimate of the space needed, e.g. in cases where another method would have de- 
tected that memory operations may be achieved in-place. Hence, it may be interesting 
to couple our analysis with other methods for ensuring resource bounds. 

Paper Organisation. The paper is organised as follows. Section 2 sketches a first- 
order functional language with simple types and call-by-value evaluation and recalls 
some basic facts about quasi-interpretations and termination. Section 3 describes a sim- 
ple virtual machine comprising a minimal set of 6 instructions that suffice fo compile the 
language described in the previous section. In Section 4, we define a fype verification 
that guarantees that all values on the stack will be well typed. This verification assumes 
that constructors and function symbols in the bytecode are annotated with their type. In 
the following sections, we also assume that they are annotated with suitable functions 
to bound the size of the values on the stack (Section 6) and with an order to guaran- 
tee termination (Section 7). The size and termination verifications depend on a shape 
verification which is described in Section 5. 

The presentation of each verification follows a common pattern: (i) definition of 
constraints on the bytecode and (ii) definition of a predicate which is invariant under 
machine reduction. The essential technical difficulty is in the structuring of the con- 
straints and the invariants, the proofs are then routine inductive arguments. Additional 
technical details and omitted proofs can be found in a long version of this extended 
abstract [3]. 

2 A Functional Language 

We consider a simple, typed, first-order functional language, with inductive types and 
pattern-matching. A program is composed of a list of mutually recursive type definitions 
followed by a list of mutually recursive first-order function definitions relying on pattern 
matching. Expressions and values in the language are built from a finite number of 
constructors, ranged over by c, Ci, . . . We use to range over function identifiers 

and x,x' , . . . for variables, and distinguish the following three syntactic categories: 

V ::= c(v, ■ ■ ■ ,v) (values) 

p ::= X I c{p,...,p) (patterns) 

e ::= X \ c(e, ...,e) | /(e, ...,e) (expressions) 

A function is defined by a sequence of pattern-matching rules of the form f{pi , . . . , 
Pn) e, where e is an expression. We follow the usual hypothesis that the patterns 
pi, . . . ,Pn are linear and do not superpose. If e is an expression then (e) is the set 
of variables occurring in it. The size of an expression |e| is defined as 0 if e is a consfant 
or a variable and 1 + 27jgi,,„|ei| if e is of fhe form c(ei, . . . , e„) or /(ei, . . . , e„). 
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Types. We use t,ti, . . .to range over type identifiers. A type definition associates with 
each identifier the sequence of the types of its constructors, of the form c , fi * • • • * f„. 
For instance, we can define the type . of binary words and the type of natural 
numbers in unary format: 

, ^ = nil I 0^ , . ^ . \ 1 of . ^ ^ = z I ^ 

In the following, we consider that constructors are declared with their functional 
type {ti, ... ,tn) t. Similar types can be either assigned or inferred for the function 
symbols. We use the notation / : (fi, . . . , f„) — > f to refer to the type of / and (/) 
for the arity of /. We use similar notations for constructors. The typing rules for the 
language are standard and are omitted — all the results given in this paper could be 
easily extended to a system with parametric polymorphism. 



Evaluation. The following two rules define the standard call-by-value evaluation rela- 
tion, where cr is a substitution from variables to values. In order to define the rule se- 
lected in the evaluation of a function call, we rely on the function, which returns 

the unique substitution (if any) defined on the variables in the patterns and matching the 
patterns against the vector of values. In particular, the condition, ((fi> ■ • ■ ^Pn), 
{vi, . . . , Vn)) = cr imposes that a{pi) = Vi for all i € l..n. 



€j JJ. j G l..n 

c(ei, . . . , e„) J) c(wi , ... ,Vn) 



f{pi,...,p„)^erule j € l..n 

match{{pi, . . . ,p„), (^1, . . .,Vn)) = cr a{e) JJ- v 

f{ei, ...,e„)i}.v 



Example 1. The function . . of type ( , ^ ^ ^ , defined by the following two 

rules, computes the sum of two natural numbers. 

.. {z,y)^y .. {s{x),y) . . {x, s{y)) 

Quasi-Interpretations. Given a program, an assignment q associates with constructors 
c, . . . and function symbols /,..., functions qc,qf,... over the non-negative reals K+ 
such that: (i) if c is a constant then q^ is the constant' 0, (ii) if c is a constructor with arity 
n 1 then gc is the function in (K+)" — > K+ such that (a; i, . . . ,x„) = d+Si^i,,nXi, 
for some d fr 1, and (iii) if / is a function (identifier) with arity n then qf : (K+)" — > 
K+ is monotonic and for all i G l..n we have qf{xi, . . . , x„) ^ Xi. An assignment q 
is extended to all expressions as follows: q^ = x, <?c(ei,...,e„) = 9c(<Zei, • ■ • ;<Ze„). and 

9/(ei,...,e„) = 9/(9ei ) ■ • ■ ) 9e„ )■ 

Thus for every expression e we have a function expression q^ with variables in 
(e). An assignment is a quasi-interpretation if for every rule f{pi, . . . ,Pn) e in 
the program, the inequality ^ qe holds over R+. 

Example 2. With reference to Example 1, consider the assignment qs{x) = 1 -I- x and 
Qadd{x, y) = x-\-y. Since by definition = 0, we note that = |u| for all values v of 



* We can choose any positive real constant for Qc, but this choice simplifies some of our proofs. 
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type ^ . Moreover, it is easy to check that g is a quasi-interpretation as the inequalities 

9odd(0,y) ^ y and Qaddi^ + x,y)'^ Qaddix, l + y) hold. □ 

Quasi-interpretations are designed so as to provide a bound on the size of the com- 
pnted values as a function of the size of the inpnt data. An interesting space for the 
synthesis of quasi-interpretations is the collection of max-plus polynomials [2], that is, 
fnnctions equivalent to an expression of the form + Ui), with 

Qij G N and Oi G Q~^, where N are the natural numbers and Q+ are the non-negative 
rationals. In this case, checking whether an assignment is a quasi-interpretation can be 
reduced to checking the satisfiability of a Presburger formula, and is therefore a decid- 
able problem. 

3 The Virtual Machine 

We define a simple stack machine and a related set of bytecode instructions for the 
compilation and the evaluation of programs. We adopt the usual notation on words: 
e is the empty seqnence, x ■ x' is the concatenation of two sequences x,x'. We may 
also omit the concatenation operation • by simply writing xx'. Moreover, if a; is a 
sequence then |x| is its length and x\i] its element counting from 1. We denote with 
y a vector (j/i, . . . , y„) of elements. Then, yi stands for the element yi and \y \ is the 
nnmber n of elements in the vector. In the following, we will often manipulate vectors 
of sequences and use the notation yi[k] to denote the element in the sequence of 
vector y. 

We suppose given a program with a set of constructor names and a disjoint set of 
function names. A function identifier / will also denote the sequence of instrnctions of 
the associated code. Then f[i] stands for the instruction in the (compiled) code of / 
and I/I for the number of instructions. 

The virtnal machine is bnilt aronnd a few components: (1) an association list be- 
tween fnnction identifiers and function codes; (2) a configuration M, which is a se- 
qnence of frames representing the memory of the machine; (3) a bytecode interpreter 
modelled as a rednction relation on configurations. In tnrn, a frame is a triple (/, , £) 

composed of a function identifier, the valne of the program connter (a natural number 
in l..|/|), and a stack. A stack is a sequence of valnes that serves both to store the 
parameters and the values computed during the execution. We work with a minimal 
set of instrnctions whose effect on the configuration is described in Table 1 and write 
M M' if M reduces to M' by applying exactly one of the transformations. 

The reduction M M' is deterministic. The empty seqnence of frames e is a 
special state which cannot be accessed during a computation not raising an error, i.e., 
not execnting the instrnction stop. A “good” execntion starts with a confignration of 
the form (/, 1, ui • • • u„), containing only one frame that corresponds to the evaluation 
of the expression /(ui, . . . , u„). The execution ends with a configuration of the form 
(/, ,£■ Vq) where 1 ^ ^ I./I /[ ] = return n (the integer n is the arity 

of /). In this case the result of the evaluation is vq. By extension, we say that the 
confignration M is a result uq, denoted M J, vq, if there exists a seqnence £ such that 
M = {f, ,£ ■ uo) with 1 ^ ^ I/I /[ ] = return n. All the other cases of 

blocked configuration, such that M -f * , are considered as runtime errors. 
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Table 1. Bytecode Interpreter: M —> M' 



f[pc] = load i f[pc] = build c n 

pc < I/I i[i] = V pc < I/I l = i' -Vl-'-Vn 

M ■ if,pc,e) ^ M ■ {f,pc + l,£- v) M ■ if,pc,£) ^ M ■ {f,pc + !,£' ■ c{vi,. . .,Vn)) 

f[pc] = branch c j f[pc] = branch c j 

pc <1/1 £ = £' ■ c(n, ...,Vn) 1 ^ j ^ I/I £ = £' ■ d{...) c / d 

M ■ if, pc,£)^M-{f,pc + l,£'-vi--- v„) M • (/, pc, £) ^ M ■ (/, j, £) 

/[pc] realign pc < |/| l = f[pc] = stop 

M ■ if, pc, £) ^ M ■ if, pc,£)- ig,l,vi---v„) M ■ (/, pc, £) ^ e 

f[pc] — return n £ = £o ■ vq £' = £"■ v\ ■■■ Vn 
M ■ (g, pc', £') ■ if, pc, £) ^ M ■ ig, pc' + 1,£" -vq) 



The language described in section 2 admits a direct compilation in our functional 
bytecode. Every function is compiled into a segment of instructions and linear pattern 
matching is compiled into a nesting of branch instructions. Finally, variables are re- 
placed by offsets from the base of the stack frame. 

Clearly, a realistic implementation should at least include a mechanism to execute 
efficiently tail recursive calls (when a call instruction is immediately followed by 
return) and a mechanism to share common sub-values in a configuration. For instance, 
using a stack of pointers to values allocated on a heap, it is possible to dispense with the 
copy performed by a load instructions. Our approach to size verification of the stack 
could be adapted to these possible enhancements of the virtual machine. 

Preliminary Verifications. We define a minimal set of (syntactical) conditions on the 
shape of the code so as to avoid the simplest form of errors, e.g., to guarantee that the 
program counter stays within the intended bounds. 

A new frame may only originate from a call instruction, that is, for every pair 
of contiguous frames, •••(/, ,t) ig, ',£')■■■, the instruction /[ ] must be of the 

form call g n and the stack £ must end with n values, say v\ - ■ ■ u„, which are the 
parameters used in the call for g. We use the notation . (M, j) to refer to the vector 
of arguments with which the frame in M has been called: if 1 < j ^ m and M = 
(/i,*i,^i)---(/m,*m,'^m),wehave , (M,j) = (ui,...,Ufc) where (/j) = A: and 

£j-i = £-vi ■ ■ ■ Vk- (An alternative presentation of the reduction rules could be to carry 
these parameters explicitly as extra annotations on each frame.) By convention, we use 
, (M, 1) for the sequence of values used to initialise the execution of the machine. 

We say that a function / is well-formed if the sequence of code of / terminates either 
with the stop or with the return instruction. Moreover, for every index i e l..|/|, we 
ask that: (1) if f[i] = load k then fc ^ 1 and (2) if f[i] = branch c j then 1 ^ j ^ |/|. 
We assume that every function in the code is well-formed; the result of the compilation 
of functional programs clearly meets these well-formedness conditions. We say that a 
configuration M = ifi,ii,£i) ■ ■ ■ (/„, im, im) is well-formed if for all j G l..m we 
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Table 2. Well-Typed Instructions: wti{f, T) 



case f[i] of 
load k 
build c n 
call g n 
return n 
stop 

branch c j 



i < |T|, Ti[k] = t and Ti+i =Ti-t 

let c : (fi, . . . ,f„) ^ fo in 3T. i < \T\,Ti = T • and Ti+i = T ■ to 

let g : (fi, . . . , ^ fo in 3 T. i < |T|, Ti = T -ti - ■ -tn and Ti+i ^ T ■ to 

let / : (fi, . . . ,tn) ^ to inJT.Ti = T ■ to 
true 

let c : (fi, . . . ,tn) to in 

3T. i < \T\,Ti = T ■ to, Ti^i = T ■ t\ ■ ■ ■ t„ and T j — Ti 



have (1) the program counter ij is in l..|/y|; (2) the expression , (M,j) is defined; 
and (3) for all j G l..m — 1 we have fj [ij] = call /j+i nj+i — type verification will 
ensure, among other properties, that rij is the arity of the function fj . Well-formedness 
is preserved during execution (and the configuration e is well-formed). 

Proposition 1 . If M is a well-formed configuration and M M' then the configura- 
tion M' is also well-formed. 



4 Type Verification 

In this section, we define a simple type verification to ensure the well-formedness and 
well-typedness of the machine configurations during execution. This verification is very 
similar to the so called bytecode verification in the Java platform, see e.g. [1], and 
can be directly used as the basis of an algorithm for validating the bytecode before its 
execution by the interpreter. (A major difference is that we do not have to consider 
subroutines, access modifiers or object initialisation in our language.) 

Type verification associates with every instruction (every step in the evaluation of a 
function code) an abstraction of the stack. In our case, an abstract stack is a sequence 
of types, or type stack, T = ti ■ ■ -tn, that should exactly match the types of the values 
present in the stack at the time of the execution. Accordingly, an abstract execution for 
a function / is a sequence T of type stacks such that |T| = |/|. 

To express that an abstract execution T is coherent with the instructions in /, we 
define the notion of well-typed instruction based on the auxiliary relation fif,T), 
given below. Informally, we show that if i{f, T) and Ti = ti ■ ■ -tk then for every 
valid evaluation of /, the stack of values at the time of the execution of f[i] is ^ = 
Vi' ■ -Vk where vj is a value of type tj for every j G l..k. The definition of the relation 
i{f,T), where |/| = |T|, is by case analysis on the instruction f[i]. 

We define a well-typed function as a sequence of well-typed instructions. To verify 
a whole program, we simply need to verify every function separately. 

Definition 1 (Well-Typed Function). A sequence T is a valid abstract execution /or 
the function f with signature (fi, . . . , f„) — > to, denoted (/, T), if and only ifT \ = 
ti---tnand i{f,T) for every i G l..|/|. 
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We define the flow graph of function / as the directed graph |/|},_E/) 

such that for all i G 1--|/| — 1, the edge (i, z + 1) is in Ef if f[i] is a load, build, or 
call instruction and the edges {i,i + 1) and (i,j) are in Ef if f[i] is the instruction 
brainch c j. If every node in the flow graph is reachable from the 

node 1 then there is at most one abstract execution, T, such that (/, T). Moreover, T 
can be effectively computed as the fixpoint of a function iterating the conditions given 
in Table 2, for example using Kildall’s algorithm [10]. 

Example 3. We continue with our running example and display the type of each in- 
struction in the (compiled) code of ... We also show the flow graph associated with 
the function that exhibits the two possible “execution paths” in the code of . . . 



1 


nat nat 


load 1 ^ 




2 


nat nat nat 


branch s 7 ^ 




3 


nat nat nat 


load 2 ® 




4 


nat nat nat nat 


build si ^ 




5 


nat nat nat nat 


call add 2 ® 




6 


nat nat nat 


return 2 ® 




7 


nat nat nat 


load 2 


7 


8 


nat nat nat nat 


return 2 


8^ 



In the following, we assume that every node in the flow graph is accessible. If T 
is “the” abstract execution of /, we say that / is a function (code) of type T. Next, 
we prove that the execution of verified programs never fails. As expected, we start by 
proving that type information is preserved during evaluation. This relies on the notions 
of well-typed frames and configurations. For instance, we say that a stack has type T, 
denoted £ : T,ifT = ti - ■ - tn and £ = vi - ■ ■ u„, where Vi is of type ti for all i G l..n. 

c : {ti, . . . ,tn) ^ t Vi '■ ti i G l..n Vi '■ ti i G l..n 

Vi ' ' ' Vji t\ • ' ' tji 

{fi,ii,£i) ... (/m,*Tn,0 well-formed 
jGl..m 

(M) 

Proposition 2 (Type Invariant). Let M be a conflguration. If (M) and M M' 
then {M'). 

We note that as a side result of the type verification, we obtain, for every instruction, 
the size of the stack at the time of its execution. The soundness of the type verification 
follows from a progress property. 

Proposition 3 (Progress). Assume M is a well-typed conflguration. Then either M = 
e, or M is a result. M J, vq , or M reduces, 3M' {M M'). 

5 Shape Analysis 

We define a shape analysis on the bytecode which appears to be original. Instead of 
computing the type of the values in the stack, we prove that we can also obtain partial 



if,T) £ 



£ : T, 



,Vn) -t 

M = 
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Table 3. Shape Constraints at Instruction i: wshi{f, cr, E) 



case f[i] of 
load k 
build c n 
call g n 
branch c j 



(Ti+i = (Ti and Ei+i = Ei ■ Ei[k] 

(Ti+i = (Ti, Ei = E ■ ei ■ ■ ■ 6n and Ei+i = E ■ c(ei, . . . ,e„) 
(Ti+i = (Ti, Ei = E ■ ei ■ ■ ■ e„ and Ei+i = E ■ g{ei , . . . , e„) 
let Ei = E ■ p in 



if p is a variable x then 

leta' = [c{xi+i^hi, ■ ■ ■ ,Xi+-i^hi+i) / x] i" 

(Tj = (Ti, Ej = Ei, (Ti+i = a' o(Ti and Ei+i = cr'{E) ■ Xi+i,hi ■ ■ ■ Xi+i,hi+i 



else if p = c(ei, . . . ,e„) then (n+i = cn and Ei+i = E ■ ei ■ ■ ■ e„ 



else if p = d(. . .) with d 7^ c then (Tj = (Ti and Ej — Ei 

(where hi+i — hi + or(c) — 1 and hj = hi) 



information on their shape such as the identity of their top-most constructor. This ver- 
ification is used in the following size and termination verifications (Sections 6 and 7). 
We suppose that the code of every function / in the program passes the type verifica- 
tion of Section 4 and that (/, T) holds. We denote with h a vector of numbers such 
that hi is the height of the stack for instruction i, that is hi = |Tj| for alH € 1-.|/|. 
Furthermore, for every instruction index i and position k G l..hi in the corresponding 
stack we assume a fresh variable Xi^k ranging over expressions, that is terms built from 
variables, constructors and function symbols. 

We show that under some restrictions on the form of the code, we can solve certain 
shape constraints and associate with every reachable instruction a substitution, cr^, and 
to every position of the related stack an expression, Cij (if / is well-typed and every 
node in its flow graph is reachable then the solution is unique). We can compare the 
shape analysis with the type verification of Section 4: we compute for each instruction 
a sequence of expressions, E = ei ■ ■ ■ e„, instead of a sequence of types T = ti • • • 
The restrictions on the code are the following: 

(1) the flow graph of the function is a tree rooted at instruction 1 whose leaves corre- 
spond to the instructions return or stop; 

(2) every brEuich instruction is preceded only by load or brcuich instructions. 

These conditions are satisfied by fhe byfecode obfained from the compilation of func- 
tional programs and entail that in every path from the root we cross a sequence of 
branch and load instructions, then a sequence of load, build, and call instructions, 
and finally eifher a stop or return instruction. 

The shape constraints are displayed below. We note that applying a branch c j 
instruction to a stack whose head value is of the shape d(. . .) with d 7^ c produces no 
effect which is fine since fhen the following instruction is not reachable (since the flow 
graph is a tree, we have j 7^ z + 1). Hence the shape analysis may also be used to locate 
dead code. The definition of the relation i(f,cr,E), where |/| = |cr| = |£^|, is by 
case analysis on the instruction f[i]. There are no constraints on cr and E if f[i] is a 
return or stop instruction. 
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The soundness of shape verification is obtained through the definition of a new pred- 
icate on configurations, , which improves on the “well-typed” predicate introduced 
in the previous section. 

Definition 2 (Well-Shaped Function). A pair (cr, E) is a valid shape for the function 
f of type {ti, ... ,tn) ^ Iq, denoted ^ {f,cr, E), if cri is the identity substitution, 

-El = a;i,i • • • a;i,ar(/). , i(/, cr, £ 1 ) /or a// i G 

Assume we have a well-formed configuration M containing the frame (f,i,£) in 
j* position and that arg(M, j) = (ui , . . . ,Uk) are the parameters used to initialise this 
frame. The substitution cr^ relates the values u\, . . . ,Uk to the values occurring in £. 
More precisely, /) is a pattern with variables in and there is at most 

one matching substitution p such that p o cr^(xij) = ui for alH G l..k. On the other 
hand, the expressions Cij describe the values occurring in £. If j is a pattern, that is, 
if it does not contain a function symbol (which is always the case if the instruction / [z] 
occurs before the first function call in the execution path), then £\j] = p{eij). 

For example, if we consider the shape constraints computed for the function . . 
below, we have that for every frame ( . . ,i,£) originating from the parameters (mi U2), 
if z = 5 (at the point of the recursive call) then ui is of the form 5(113) and £ is the stack 

( 5 ( 113 ) U2 113 5 ( 112 )). 



El = Xl.l Xi,2 


load 1 


(71 = id 


E2 = Xi,i Xi,2 a;i,i 


branch s 7 


(72 = id 


E-i = s(a:3,3) Xl ,2 ®3,3 


load 2 


0-3 = [s(o:3.3)/o:i,i 


Ea = 5(0:3, 3) Xl ,2 ®3,3 Xl ,2 


build 5 1 


(74 = [5 (o: 3.3 )/o:i,i 


Es = 5(0:3, 3) *1,2 0:3,3 s(o:i,2) 


call add 2 


(75 = [5(0:3. 3)/o:i,i 


Ee = 5(0:3, 3) *1,2 add(x3,3, s(o:i,2)) 


return 2 


(76 = [5 (o: 3.3 )/o:i,i 


Er = 0:1,1 0:1,2 0:1,1 


load 2 


II 

b 


Eg = Xl,l *1,2 0:1,1 0:1,2 


return 2 


It 

CO 

b 



A configuration M is well-shaped if all the frames (f,i,£) in M are well-shaped. 
This condition relies on the parameters used to initialise the frame. 

, . {{cT^{xip),...,(T^{xi^ar(f))),u) = p 

if Ei[j] is a pattern then £[j] = p{Ei[j]) 

, if,u,i,£) 

M = {h,ii,£i)---iU,i^,£^) (M) 

Uj = r{M,j) ^ (fj,Uj,ij,£j) j G 1..TTZ 

, (M) 

Assume the bytecode of the function / has passed the type and shape verifications. 
As for type verification, we prove that the shape predicate is invariant under reduction. 

Proposition 4. If ^ (M) and M M' then ^ {M'). 

The shape verification is particularly well-suited to the analysis of code obtained 
from the compilation of functional programs, but it may not scale well to optimised 
code, like the one obtained by the elimination of tail recursive calls. Nonetheless, we can 
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easily define the size verification (see Section 6) without relying on the shape analysis 
and perform this verification on programs that do not meet the conditions given previ- 
ously. Hence, we should not see the shape analysis as a required step of our method but 
rather as an elegant way to define simultaneously the core of our size and termination 
analyses. 

6 Value Size Verification 

We assume that we have synthesized suitable quasi-interpretations at the language level 
(before compilation) and that these informations are added to the bytecode. Hence, for 
every constructor c and function symbol /, the functions ^ K+ and 

qf : (R+) ^ K+ are given. 

We prove that we can check the validity of the quasi-interpretations at the bytecode 
level (and then prevent malicious code containing deceitful size annotations) and that 
we may infer a bound on the size of the frames on the stack. 

We assume the bytecode passes the shape verification. Thus for every instruction 
index i in the segment of the function /, the sequence of expressions Ei and the sub- 
stitution (Ti are determined. We also know hi, the height of the stack at instruction i, as 
computed during the type verification. 

Definition 3. We say that the size annotations for the function f are correct if the fol- 
lowing condition holds for all i € l.-|/|- Assume Ei = e\ ■ • • eh^, then: 

Vj e 1../1* ^ <?e,- overR+ (1) 

In the case of the (compiled) function . . , for example, the correctness of the 
size annotations results from the validity of the inequality: qadd{^ + 0 : 3 ^ 3 , xi_ 2 ) ^ 
qadd{x 3 , 3 , 1 + Xi^ 2 ) (from (1) ou the expressions obtained for instruction 6). 

The complexity of verifying condition (1) depends on the choice of the quasi- 
interpretations space. This problem has the same complexity as verifying the correc- 
tion of the quasi-interpretation at the level of the functional language, see Section 2. 
We also notice that the condition is quite redundant and can be optimised. Next, we 
show (Corollary 1) that the size of all the values occurring in a configuration during 
the evaluation of an expression f{vi, ... ,Vn) are bounded by the quasi-interpretation 
of f{vi , . . . , Vn). This follows from the definition of a new predicate ^ (M) and a 

related invariant. 

wsh{f,cr,E) match[{(Ti{xi,i), . . . ,(Ti{xi^ar(f))),u) = P 
Ei = ei---ehj i = vi---Vhi gp(e,) ^ jel..hj 

wsz(f, u, i, i) 

M = ... UrafmAm) wsh{M) Uj = arg{M,j) 

wsz{fj,Uj,ij,lj) ^ 3 e k £ l..m- 1 

wsz{M) 

Assume the bytecode of the function / has passed the type and shape verifications. 
As for the type and shape verifications, we prove that the size predicate is invariant 
under reduction. 

Proposition 5. If ^ (M) and M M' then ^ {M'). 
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Corollary 1. Assume that all the functions in the program are well-sized. If the ex- 
pression f{vi , . . . , Vn) is well-typed and (/, 1, • • • v„) ^ M ■ (g, i, i) then |ti| ^ 

Qf{vi,...,vn) fi”" values v occurring in £. 

Proof. By definition, (/, 1, ui • • • v„). By proposition 5, it follows that (M • 
{g, i, £)). Let u = {ui, . . . , Uk) be the parameters used in the initialization of the top 
frame: u = , {M ■ {g, i, £), \M\ + 1). Since the configuration is well-sized, we have 

(g,u,i,£) and there is a substitution p such that: (cl) qf(vi....,vn) ^ Qg{ui,...,uk) > 
(c2) p o (Ti{xij) = Uj for all j G \..k , and (c3) ^ (g, cr, E) and Ei = ei ■ ■ ■ Cn and 

9p(e, ) ^ qi[j] for j G l..n. 

By definition, the size annotations in the bytecode are correct, which means that by 
the verihcation condition (1) we have: qg(a-i{xi *,)) ^ qe^ for all j G l..n. We 

conclude: ^ gg(ui,.. .,«*,) by (cl) 

~ 9g(po<Ti(a:i,i),...,pO(Ti(a;i,fc)) by (c2) 



^ Ipiej) 


by (1) and monotonicity 




^ Qv 


by (c3) 






qv is a quasi-interpretation 


□ 



We can use corollary 1 to give a rough estimate of the size of the frames occurring 
in a configuration. Assume that all the functions in the program are well-sized and 
consider a frame {g, i, £) occurring in a conhguration reached from the evaluation of 
the expression f{v\, . . . , Vn). 

From the type verification, we obtain a bound hg on the length of the stack £ (for 
the function _ _ in our examples we have hadd = 4). We may define the size of a 
frame as the sum of the size of the values in £ added to hg — the quantity hg makes 
allowance for the presence of constants stored in the stack and we neglect the space 
needed for storing the function identifier and the program counter. Flence the size of the 
frame (g,i,£) is less than hg ■ + !)• Likewise, if we dehne the size of a 

configuration M as the sum of the frames occurring in M, then we can bound the size 
of M by the expression hm • {qf{vi,....v„) + 1) • where I is the number of frames in M 
and hm is the maximum of the hg for all the functions g in the program. 

In the next section, we use information obtained from a termination analysis to 
bound the number of frames that may appear in a reachable configuration. As a re- 
sult, we obtain a bound on the maximal space needed for the evaluation of the ex- 
pression f{vi, . . . ,Vn) (see Corollary 3). Moreover, if we can prove termination by 
lexicographic order, then this bound can be expressed as a polynomial expression on 
the values |wi|, . . . , |w„|. 



7 Termination Verification 

In this section, we adapt recursive path orderings, a popular technique for checking 
termination (see, e.g., [6]), to prove termination of the evaluation of the virtual machine. 
We suppose that the shape verihcation of the code succeeds. We assume given a pre- 
order on the function symbols so that / =s g implies (/) = (g). Recursive 

path ordering conditions force / 9 whenever / may call g, and / =x: g whenever / 
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and g are mutually recursive. The pre-order is extended to the constructor symbols 
by assuming that a constructor is always smaller than a function symbol and that two 
distinct constructors are incomparable. 

We recall that in the recursive path ordering one associates a status with each symbol 
specifying how its arguments have to be compared. It is required that if / =s g then / 
and g have the same status. Here we suppose that the status of every function symbol is 
lexicographic and that the status of every constructor symbol is the product. We denote 
with >i the induced path order. Note that on values v >i w' if and only if v embeds 
homomorphically v' . Hence, v >i v' implies |w| > |w'|. 

The technical development resembles the one for the value size verification. First, 
we have to define when fhe fermination annofafions given wifh fhe bytecode are correct. 

Definition 4. We say that the termination annotations for the function f are correct if 
the following condition holds for all i G Assume Ei = e\ ■ ■ ■ Chi, then: 

Vj G /(cTi(a;i,i), . . . ,cTi(xi,ar(/))) >i ey (2) 

For the function . . , the correctness of the termination annotations results primar- 
ily from the validity of the relation . . (s(a;3,3), xi,2) >/ - - (3:3,3, s(a;i,2)) (for the 

lexicographic path ordering). Next, we introduce a predicate (for terminating) on 
well-shaped configurations M. As expected, the termination predicate is an invariant. 

wsh{f,cr,E) match{{ai{xi^i), . . . ,(Ti{xi^ar(f))),u) = p 
Ej = e-i_- ■ ■ Chi l = Vi---Vhi p{&j) Vj jel-.hj 

ter{f,u,i,i) 

M = (/i,ii,fi) ... wsh{M) Uj = arg{M,j) 

ter{fj,Uj,ij,£j)fk{uk) >i fk+ijuk+i) j£l..m fcgl..m-l 

ter{M) 

Proposition 6. If (M) and M M' then {M'). 

Corollary 2. Assume that all the functions in the program have correct termination 
information (see Definition 4). Then the execution of a well-typed frame (/, 1, • • • w„) 

terminates. 

Proof. We define a well-founded order on well-formed configurations fhat is compati- 
ble with the evaluation of the machine. If i is the index of an instruction in the code of 
/, let (f) denotes the number of instructions reachable from i in the flow graph Ef. 
Since the flow graph is a free, whenever we incremenf fhe counter or jump fo another 
instruction this value decreases. Let T = {T^, >/) be the collection of values with the 
lexicographic path order. It is well known that this is a well-founded order. Then con- 
sider T X N with the lexicographic order from left to right. Again this is a well-founded 
order. Finally, consider AI (T x N) the finite multisets over T x N with the induced well- 
founded order. We associate with a configuration M = (/i, *i, f'l) • • • (/m, the 

measure ^(M) = {|(/i (ii)-l), . . . , (/m_i (zm-i)- 

l),(/m r {M,m), (im))|}. 

Then, by case analysis, we check that all the reduction rules decrease this measure. 
This proof is by case analysis on the instruction fm[im]- Assume /m[*m] = call g n. 




278 



R.M. Amadio et al. 



An element (f{v),i) of the multiset is replaced by the two elements {f{v),i — 1) and 
(g{u), (1)), where f{v) >; g{u) (by the invariant ) so that, with respect to the 

lexicographic order: (f{v),i) > {f{v),i — 1) and (f{v),i) > (g{u), (1)). In the 

other cases, an element (f{v), i) is either removed or replaced by (f{v),j) with i > j, 
as needed. □ 

As observed in [5], termination by lexicographic order combined with a polynomial 
bound on the size of the values leads to polynomial space. We derive a similar result 
with a similar proof at bytecode level. 

Corollary 3. Suppose that the quasi-interpretations are bound by polynomials and that 
the value size and termination verifications of the bytecode succeeds. Then there exists 
a polynomial q such that every execution starting from a frame (/, 1, Vi • • • ( termi- 

nates and) runs in space bound foy ( 7 (|wi|, . . . , |w„|). 

Proof. Note that if f{v) >i g{u) then either / >j; g or f g and v >; u. In 
a sequence fi{vi) >i ■ ■ ■ >i fm{vm), the first case can occur a constant number of 
times (the number of equivalence classes of function symbols with respect to thus 
it is enough to analyse the length of strictly decreasing sequences of tuples of values 
{vi, . . . ,Vk) lexicographically ordered where k is the largest arity of a function symbol. 
If 6 is a bound on the size of the values then since on values v >i v' implies |z;| > |w'| 
we derive that the sequence has length at most . Since b is polynomial in the size of 
the arguments and the number of values on a frame is bound by a constant (via the stack 
height verification), a polynomial bound is easily derived. □ 

From the type verification we obtain a bound hm on the length of the stacks (for the 
function . . in our examples we have hm = 4). From the size verification we obtain a 
bound Qm = qf{vi,...,vn) on the size of every value occurring in a stack (in our example 
Qm = ki| + |f 2 |)- Finally, the termination analysis provides a bound on the maximal 
number of frames. A crude analysis gives at most frames, where k is the greatest 
arity among the functions occurring during the execution. Hence, the size needed for the 
execution of a correct program on the initial configuration (/, 1, • • • w„) is bounded 

by the product hm • (9m+ 1) • tnay improve this bound using a finer analysis of the 

(proof of correctness of the) termination annotations. In the case of . . , for example, 
we remark that the size of the first parameter decreases at every call — there could be 
at most |vi| frames in a reachable configuration — and therefore we may derive the 
stricter bound 4 • + |w 2 | + 1) • li'il instead of 4 • (|rii| + |v 2 | + 1) • (It^il + |v 2 |)^- 



8 Conclusion and Related Work 

The problem of bounding the size of the memory needed for executing a program has 
already attracted considerable attention but few works have addressed this problem at 
the level of the bytecode. 

Most work in the literature on bytecode verification tends to guarantee the integrity 
of the execution environment. Work on resource bounds is carried on in the MRG 
project [17]. The main technical differences appear to be as follows: (i) they rely on a 
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general proof carrying code approach while we are closer to a typed assembly language 
approach and (ii) their analyses focus on the size of the heap while we also consider 
the size of the stack and the termination of the execution. Another related work is due 
to Marion and Moyen [14] who perform a resource analysis of counter machines by 
reduction to a certain type of termination in Petri Nets. Their virtual machine is much 
more restricted than the one we study here as natural numbers is the only data type and 
the stack can only contain return addresses. 

We have shown how to perform type, size, and termination verifications at the level 
of the bytecode running on a simple stack machine. We believe that the choice of a 
simple set of bytecode instructions has a pedagogical value: we can present a minimal 
but still relevant scenario in which problems connected to bytecode verification can 
be effectively discussed. We are in the process of formalising our virtual machine and 
the related invariants in the COQ proof assistant. We are also experimenting with the 
automatic synthesis of annotations at the source code level and with their verification 
at byte code level. Moreover, we plan to refine the predictions on the space needed for 
the execution of a program by referring to an optimised implementation of the virtual 
machine. 
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Abstract. In this paper we introduce a compositional proof-system for certify- 
ing abstract non-interference in programming languages. Certifying abstract non- 
interference means proving that no unauthorized flow of information is observ- 
able by the attacker from confidential to public data. The properties of the compu- 
tation that an attacker may observe are specified as an abstract domain. Assertions 
specify the secrecy of a program relatively to the given attacker and the proof- 
system specifies how these assertions can be composed in a syntax-directed a la 
Hoare deduction of secrecy. We prove that the proof-system is sound relatively 
to the standard semantics of an imperative programming language. This provides 
a sound proof-system for both certifying secrecy in language-based security and 
deriving attackers which do not violate secrecy inductively on program’s syntax. 

Keywords: Abstract interpretation, language-based security, abstract non- 
interference, verification 



1 Introduction 

Standard non-interference has been introduced by Goguen and Meseguer in [19] as a 
key feature to model information flows in security. The idea behind non-interference 
in security is that users have given access control privileges and higher privileges are re- 
quired in order to access files containing confidential data. In this way, when authorized 
users accessing public data are non-interfering with those on private resources, no leak- 
age of confidential information is possible by observing public input/output behavior of 
the system. On this pattern most security polices are specified in language-based secu- 
rity, where users are program components specified in some high-level programming 
language (see [26]). Most methods and techniques for checking secure information 
flows in software, ranging from standard data-flow/control-flow analysis techniques 
to type inference, are based on non-interference. All of these approaches are devoted 
to prove that a system as a whole, or parts of it, does not allow confidential data to 
flow towards public variables. Type-based approaches are designed in such a way that 
well-typed programs do not leak secrets. In a security-typed language, a type is induc- 
tively associated at compile-time with program statements in such a way that any state- 
ment showing a potential flow disclosing secrets is rejected [28, 30, 32]. Similarly, data- 
flow/control-flow analysis techniques are devoted to statically discover flows of secret 
data into public variables [6,22,23,27]. The problem of weakening non-interference, 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 280-294, 2004. 
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also known as refining security policies, has been recognized as a long standing major 
challenge in language-based security [26]. In standard non-interference, the attacker is 
able to fully analyze concrete computations. In this case, any conservative type/data- 
flow/control-fiow analysis of information flows would discard all the programs which 
may provide any explicit or implicit concrete flows from confidential to public re- 
sources. Standard non-interference is therefore often too strict for any practical use in 
language-based security; most programs are rejected by static control/data flow analyz- 
ers or type checkers for non-interference. In order to adapt security policies to practical 
cases, it would be essential to know how much an attacker may learn from a program by 
(statically) analyzing its input/output behavior. This idea has recently lead to the defini- 
tion of the notion of abstract non-interference [16]. Abstract non-interference captures a 
weaker form of non-interference, where non-interference is made parametric relatively 
to some abstract property of input/output behaviour. Consider the following program P 
written in a simple imperative language, where the while-statement iterates until x\ is 
0. Suppose x\ : H is a secret variable and a ;2 : L is a public variable: 

while xi do X2 ■= X2 * 2 ; xi := xi — l endw 

While in standard non-interference there is an implicit flow from x\ to X 2 , due to 
the while-statement, because X 2 changes depending on the initial value of xi, this is 
not true for weaker abstractions of public data. In particular if the attacker can only 
observe the property of being power of 2 of public variables (X 2 ), since the operation 
cannot change its status of being or not a power of two. Then an attacker is unable to 
observe any interference due to the implicit flow. Abstract non-interference generalizes 
this idea to arbitrary abstractions of the semantics of a programming language. This 
provides both a characterization of the degree of secrecy of a program relatively to 
what an attacker can analyze about its input/output information flow and the possibility 
for certifying code relatively to some weaker form of non-interference. 



The Prohlem 

Abstract non-interference is based on the idea that the model of an attacker is an ab- 
stract interpretation of the semantics of the program. A program satisfies the abstract 
non-interference condition relatively to some given abstraction (attacker) if the ab- 
straction obfuscates any possible interference between confidential and public data. In 
[16] the authors introduce a step-by-step weakening of Goguen and Meseguer’s non- 
interference by specifying abstract non-interference as a property of the semantics of the 
program. The idea of modeling attackers as abstract domains provides advanced meth- 
ods for deriving attackers by systematically transforming the corresponding abstract 
domains. An algebraic characterization of the most precise secure attacker, i.e., the 
most precise abstraction for which the program satisfies the abstract non-interference 
property, is given as a fixpoint domain construction. This abstraction, as well as any ab- 
stractions for which the program satisfies abstract non-interference, is both a model of 
an harmless attacker and a certificate for the security degree of the program. However 
the original definition of abstract non-interference is not specified inductively on pro- 
gram’s syntax but rather it is derived as an abstraction of the concrete semantics of the 



282 



R. Giacobazzi and I. Mastroeni 



whole program. This makes the use of abstract non-interference hard in automatic pro- 
gram certihcation mechanisms, such as in proof-carrying code architectures [24] and 
in type-based verification algorithms. The logical approach to secure information flow 
is not new. In [12] dynamic logic is used for characterizing secure information flows, 
deriving a theorem prover for checking programs. In [1] an axiomatic approach for 
checking secure information flows is provided. In particular the authors syntactically 
derive the secure information flows that may happen during the execution. Both these 
works don’t characterize the power of the attacker. 

Main Contribution 

In this paper we introduce a compositional proof-system for certifying abstract non- 
interference in programming languages which means proving that the program satisfies 
an abstract non-interference constraint relatively to some given abstraction of its in- 
put/output. Abstractions are specified in the standard abstract interpretation [9] frame- 
work. Assertions in the proof-system have the form of Hoare triples: {r])P{p) where 
P is a program fragment and r] and p are abstractions of program’s data. However the 
interpretation of abstract non-interference assertions is rather different from partial cor- 
rectness assertions (see [3]): (r])P{p) means that P is unable to disclose secrets if input 
and output values on public variables are approximated respectively in 77 and p. Hence, 
abstract non-interference assertions specify the secrecy of a program relatively to a 
given model of an attacker and the proof-system specifies how these assertions can be 
composed in a syntax-directed a la Hoare deduction of secrecy. We introduce two proof- 
systems for checking abstract non-interference. The first deals with a stronger notion of 
abstract non-interference called narrow abstract non-interference [16]. The advantage 
of narrow abstract non-interference is in the simplicity of the proof-system and in its 
natural derivation from the operational semantics of the language. This proof-system is 
necessary in order to derive a proof-system for most general abstract non-interference 
assertions. We prove that the proof-systems are sound relatively to the standard seman- 
tics of an imperative programming . Both proof-systems provide a deeper insight in 
abstract non-interference, by specifying how assertions concerning secrecy compose 
with each other. This is essential for any static semantics for secrecy devoted to derive 
certificates specifying the degree of secrecy of a program. 



2 Basic Notions 

If S and T are sets, then p{S) denotes the powerset of S, denotes the set-difference 
between S and T, S ^ T denotes strict inclusion, and for a function f : S ^ T and 
X C S, f{X) = {f{x) \ x & X}. We will often denote /({a;}) as f{x). {P, <) denotes 
a poset P with ordering relation <, while {P, <, V, A, T, _L) denotes a complete lattice 
P, with ordering <, lub V, gib A, greatest element (top) T, and least element (bottom) 
±. Often, <p will be used to denote the underlying ordering of a poset P, and Vp, 
Ap, Tp and _Lp denote the basic operations and elements if P is a complete lattice. 
f : C ^ Ais (completely) additive if / preserves lub’s of all subsets of C (emptyset 
included). A proof-system P on a set of formulas ^ is a finite set of axiom schemes 
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and proof rules. A proof of in 7^ is a finite sequence of formulas such that 

tp = (fin and each pi is either an axiom in V or it can be obtained by applying a proof 
rule in V. In this case p is also called a theorem of V, and denoted hp p. 



2.1 Abstract Interpretation 

Abstract domains can be equivalently formulated either in terms of Galois connec- 
tions or closure operators [10]. An upper closure operator on a poset P is an oper- 
ator p : P ^ P monotone, idempotent and extensive (Vx G P. x <p p{x)). The 
set of all upper closure operators on P is denoted by uco{P). Let (C, <, V, A, T, _L) 
be a complete lattice. Closure operators are uniquely determined by the set of their 
fix-points p{C). p{C) is a complete sub-lattice of C iff p is additive. If C is a com- 
plete lattice then uco{C) ordered point-wise is also a complete lattice, denoted by 
(mco(C), C, U, n, Ax. T, Ax. x), where for every p, p € uco{C), {pi}i^i C uco{C) 
and X € C: p C ?7 iff Vp G C. p{y) < p(p) iff p(C) C p(C); (nig/p*)(x) = 
Ai^iPi{x); and {Ui^jpi){x) = x \/i G I. Pi{x) = x. The disjunctive com- 
pletion of a domain is the most abstract domain able to represent the concrete dis- 
junction of its objects: Y (p) = Lljp G uco{C)\rj Cl p and rj is additive}, p is dis- 
junctive iff Y (p) = p (cf. [10, 18]). Closure operators and partitions are related con- 
cepts. A closure p G uco{p{X)) induces a partition on { [x],; | x G AC }, where 
[x]r, = { y I p(x) = p(p) }. The most concrete closure that induces the same partition 
of values as p is 7T(p) = Y({ N?; \ x G X }) (see Fig. 1). The idea is that 7T(p) is the 
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Fig. 1. Example of partitions as disjunctive completion 



most concrete closure such that for any y G U{r]{x)): U{r]{x)) = n{r]{y)), while in 
general p(y) C p(x). 

2.2 The Deterministic Language 

In the following we consider a simple imperative language. Imp [31] where programs 
are commands with the following syntax: 

c ::= nil I X := e I c; c I while x do c endw 

with e denoting expressions evaluated in the set of values V with standard operations, 
i.e., if V = Z then e can be any arithmetical expression. As usual, V can be struc- 
tured as a flatdomains, where bottom element, _L, denotes the value of undefined vari- 
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ables. In the following we will denote by Var{P) the set of variables of the program 
P G Imp. Let’s consider the well-known operational semantics of Imp [31]. The op- 
erational semantics naturally induces a transition relation on a set of states P, denoted 
specifying the relation between a state and its possible successors. (P, —^) is a 
transition system. In our case, if \Var{P)\ = n then S = V”. We follow Cousot’s 
construction [8, 11], defining semantics, at different levels of abstractions, as the ab- 
stract interpretation of the maximal trace semantics of a transition system associated 
with each well-formed program. In the following, 17+ and 27“ = N — *■ 27 denote re- 
spectively the set of finite nonempty and infinite sequences of symbols in 27. Given a 
sequence a G 27°° = 27+ U 27“, its length is denoted \a\ G NU {tu} and its i-th element 
is denoted ai . A non-empty finite (infinite) trace a G 27°° is a finite (infinite) sequence 
of program states where two consecutive elements are in the transition relation i.e., 
for all i < |cr|: cr^ ^ cti+i- The maximal trace semantics [11] of a transition sys- 
tem associated with a program P is |P]°° = |f°l+ U |P]“, where if T C 27 is a set 
of final/hlocking states then |P]” = {a G 27+||(t| = n,Vi G [l,n) . Ui-i —>■ ai}, 
|Pl“ = {aG27“|ViGN.cT, ^a,+i}, [Pl+ = U„>o{a G [Pf | fr„_i € T}, 
and |P]" = |Pl" n |P] + . If cr € |Pl^, then cth and a\- denote respectively the 
final and initial state of a. The denotational semantics associates input/output func- 
tions with programs, by modeling non-termination by _L. This semantics is derived 
in [8] by abstract interpretation from the maximal trace semantics with abstraction 
Qf®(X) = As G 27. {crn|cr G X n 27+, s = cti-}u{ _L | 3cr G X n s = a\- }. Note 
that, since our programs are deterministic, oP{X){s) is always a singleton. It is well 
known that we can associate with each program P G Imp a function |P] denoting its 
input/output relation, such that |P] = a®(|P]°°). 



3 Non-interference 

Many security problems in language-hased security are problems of interference. In 
order to keep some data confidential, a user might state a policy stipulating that no 
data visible to other users is affected by modifying confidential data. This policy allows 
programs to manipulate and modify private data, as long as visible outputs of those 
programs do not reveal information about the private data. A policy of this sort is a non- 
interference policy [19], also referred as secrecy [29]. Confidential data are considered 
private, labeled with H (high-level of secrecy), while all other data are public, labeled 
with L (low-level of secrecy) [14]. Secrecy is usually formulated saying that the final 
value of a low variable does not depend on the initial value of high- variables [29] . An 
attacker (or unauthorized user) is assumed to he allowed to view only information that is 
not secret. The usual method for showing that secrecy holds is to verify that the attacker 
cannot observe any difference between two executions that differ only in their secret 
input [29,20]. In this case we say that the program has only secure information flows 
[22,29, 14,4,5,7, 13]. In order to model this situation we consider the denotational 
semantics |P] of the program P. We consider a typing function t G Var — > {H, L}, 
which associates with each variable in a program its security class. In the following, if 
X G Var{P) then we denote x : t{x) the corresponding security typing. If T G {H, L}, 
V G V", and n = |{a; G Var{P)\t{x) = T}|, we abuse notation by denoting u G the 
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fact that t; is a possible value for the vector of variables with security type T. Moreover, 
we assume that any state s G S can be seen as a pair {h, 1) where h G and I G Y^ 
and we denote the projection on low values as {h, l)^ = 1. In this case, standard non- 
interference can be formulated as follows. 



A program P is secure if 
Vu G Y^,yvi,V2 G Y'^ . ([Pl(rti,u))^ = 






In [16] we introduced a weaker notion of non-interference modeling weaker infor- 
mation flows. The idea is that an attacker can observe only some properties of public 
concrete values. The observable properties are modeled as abstractions. As usual in ab- 
stract interpretation, a property is an upper closure operator on the concrete domain 
of computation [10]. It is clear that, any observation made on program input/output 
behaviour by abstract interpretation of its semantics strictly depends upon the chosen 
abstract domains. The model of an attacker, also called attacker, is therefore a pair 
of abstractions: {r],p), with rj,p G uco{p(Y^)), representing what an observer can 
see about respectively the input and output of a program. Given a program P, narrow 
(abstract) non-interference, denoted [r]]P{p), and abstract non-interference, denoted 
{r])P{p), introduced in [16], represent a weakening of standard non-interference rela- 
tively to a given model of an attacker {rj, p). In the following we will abuse notation by 
denoting with |P] also the additive lifting of |P] to sets of states. Moreover we will 
use the following simplified notation, (|P](hi, /i))’" = |P](/ii, ?i)^. 

Definition!. Let ri,p G uco{p(Y^)). A program P G Imp is such that [t?]P(p) if 
Vhi,/i2 € Y^,yWM G V" . p{h) = r,ih) ^ p([Pl(hi,Zi)") = p(|Pl(/i2,/2)"). 
P G Imp is such that (p)P{p) i/'V/ii,/i2 G Y'^,\/l G Y^ . p(|P](hi, ?7(/))’") = 

pmih2.vii)n 

The difference between abstract and narrow non-interference lies upon what the 
attacker may observe of the input property rj. Due to the possible presence of decep- 
tive flows in narrow non-interference (see [16]), abstract non-interference represents a 
weaker notion. 

Proposition 1. [id]P(id) ^ {p)P(p) [h]P(p) (h)P(p) 

Example 1. Let, = {Z, -h, — , 0} and = {Z, 2Z, 2Z-|- 1, 0}, and consider the 
program P A I ■= with security typing f = (/i : H, ( : L) and V = Z. Note that 

(-2)= (4)=2Z,but, (|Pl(h,-2)L) =0-^0+=, (|P1 (/i,4)L). 

Namely [Par]P(Sign) due to a deceptive flow generated by a change of low inputs 
having the same property in , , ^ . 

In [16] two methods for deriving the most concrete output observation for a pro- 
gram, given the input one, for both narrow and abstract non-interference are provided. 
In particular the idea is that of collecting in the same abstract object all the elements that, 
if distinguished, would generate a visible flow. This most concrete output observation 
that is not able to get information from the program P observing p in input for narrow 
and abstract non-interference is respectively denoted [r;]|P](id) and (?7)|P](id). 
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Theorem 1 ([16]). MiPKid) C p [n]P{p) and ^ p ^ {p)P{p). 

In the following whenever p is such that (j 7 )|P](id) Cl p we will write \= (p)P{p). 
The same holds for the narrow non-interference. 

The main limitation on the use of either [77]|[P](id) or (? 7 )|P](id) for checking 
abstract non-interference is due to their dependence from the final result of the con- 
crete semantics of the program itself. This makes the construction of (77)|P](id) and 
[p] |P] (id) a hard task for large programs. In particular, no evidence is made in [16] on 
how these abstract domains can be derived inductively on program’s syntax. This prob- 
lem is solved in the next section, where a proof-system is introduced for both narrow 
and abstract non-interference. 



4 Axiomatic Abstract Non-interference 

In this section we introduce a proof-system for certifying abstract non-interference of 
programs. We assume a set <P of basic formulas which can be freely generated from 
some given set of predicates on with the basic connectives A, V and An abstract 
domain p € Mco(p(V^)) can therefore be represented as a A-closed set of formulas in 
p = Y (p). i-e-> P is disjunctive, iff it is closed under V [18]. Note also that p = n{p) iff 
p is closed both by V and ^ (cf. [17, 25]). The semantics of a set of formulas is the corre- 
sponding abstract domain. The interpretation of |~| and |J are therefore straightforward. 
As in most programming languages, Imp allows both explicit (through assignment) and 
implicit (through conditionals) flows [13]. The source of implicit flows in Imp is the 
while-statement. 

In order to certify secrecy when implicit flows may occur, we need to model the 
properties that are invariant during the executions of programs. Intuitively an abstraction 
is invariant for a program fragment P, written {p}l P {p}l, when by observing the 
property p of public input of P, we are not able to observe any differences in the p 
property of the public output. In other words {p}l P {p}l means that P is observably 
equivalent to nil as regards as the property p. This information is essential in order to 
certify the lack of implicit flows relatively to an abstraction. These invariant abstractions 
are obtained with an a la Hoare proof-system, where assertions are invariant properties 
of the form {p}l P {p}l, with p G Mco(p(V^)). Invariants of expressions are parametric 
on a public variable: ^ {p} {e,x) {p} iffV( G G V” . p{E\e\{h,l)) = p{l\^), 

where for any expression e, £|e] : S — is the standard semantics of expressions 
and Y denotes the value that in ( G is assigned to x. The intuition is that e does not 
change the property p of the value of x. The public invariants of programs are defined 

H {p}l P {p}l iff V/ G V(i G V” . p(|P](/i, ()’") = p{l). Public invariants for 
programs can be derived by induction on the syntax of Imp by using the proof-system 
X = {II,..., 18} as defined in Table 1. Rule II says that the property T, which is 
unable to distinguish any value, is invariant for any program. 12 says that any property 
is invariant for the program nil. The same holds if the program is an assignment to high 
variables (13), since by definition invariants are constraints on low variables only. In 14 
if a property is invariant for the evaluation of an expression as regards as the input value 
of a low variable x, then it is invariant for the assignment to x. Consider for example 
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Table 1. Derivation of public invariants of programs 



I1:{T}lc{T}l 12: {p}Liiil{p}L 13: 



{p}l Cl {p}l, {p}l C2 {p}l 

15: 16: ■ 



X : H 



{p}l X := e{p}L 
{p}lc{p}l 



14: 



{p} (e,x) {p}, X : L 
{p}l x:=e {p}l 

{p'}lc{p'}l, p' Ep 



{p}l ci;c2 {p}l 



{p}l while X do c endw {p}l 



17: ^ 



{p}lc{p}l 



Table 2. Axiomatic narrow (abstract) non-interference 



[p][cl(id) C p 77(p) C 77(p) [rj]e{p), [i7(p) C i7(p)], x : L 

NO: Nl: [p]c(T) N2: N3: 



[vHp) 



X : H, n{p) |Z 7T(p) 

N4: NS: 



[p]x ;= e(p) 



[p]nil(p) 
i]ci(p), [p]c2(/3) 
Wci;C2(/3) 



N6: 



[p]x := e(p) 

{p}lc{p}l 
[pjwhile X do c endw(p) 



[p']c(p'), p E p', p' E p Vi e / . [p]c(pi) 'ii & I .[rj\c{pi) 

N7: N8: N9: 



\nV{p) 



[nHUieiPi) 



WiUiei pi) 



the expression I + 2, then the property . , (which abstracts on the sign of an integer 
variable) is not invariant, since if we consider the input value Z = — 1, then we have 
that, r ^ {I + 2) = , r ^ (1) = -I- ^ , r ^ (1) = ~ . Ou the other hand, we have that 
(which abstract on the parity of an integer variable) is invariant for this expression 
as regards as the variable I, since the operation I + 2 doesn’t change the parity of the 
value assigned to 1. At this point if the statement is Z := Z -I- 2, then we have that 
{Parji Z := Z -I- 2 {Par}^. Note that, in order to apply this rule, if V*" = Vi x . . . x V„, 
then p G ucoiY^) is such that p((xi, . . . , x„)) = {p{xi), . . . , p(x„)). Rule 15 says that 
the invariants distribute on the sequential composition. 16 states that, given a while- 
statement, if a property is invariant for the body, then the same property is invariant for 
the whole statement. This rule holds since the only modifications of variables made by 
the while, are made by its body. Weakening (17) says that any more abstract property 
of an invariant is still invariant. A derivation in the proof-system of public invariants in 
Table 1 is denoted hj. 

Theorem 2. Let P G Imp and p G uco(V^). IfLx {p}l P {p}l then |= {p}l P {p}l. 

We can now introduce a proof-system for narrow abstract non-interference. This is 
specified as in Table 2. Rule NO derives from Th. 1. It states that given a program c and 
an input observation rj we can derive the most concrete output observation that makes 
the program secret. This corresponds to finding the strongest post-condition (viz. the 
most concrete abstract domain) for the program c with precondition rj such that narrow 
abstract non-interference holds. This is a “semantic rule”, because it involves the con- 
struction of the abstract domain [p] |c] (id), which is equivalent to compute the concrete 
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semantics of the command c [16]. However, this rule allows us to include in the narrow 
abstract non-interference proofs, also assertions which can be systematically derived as 
an abstract domain transformation as shown in [16]. Rules N1 says that if the output 
observation is the property T, then the input can be any property. N2 says that nil is 
secret for any possible attacker such that the partition induced by input observation is 
more concrete than the output one. This condition is necessary since in this case abstract 
non-interference corresponds to saying Vli,l 2 ■ vih) = vih) p{h) = p{h) which 
holds iff 77 ( 77 ) E n{p). Rule N3 considers a notion of secrecy extended to expressions, 
i.e., 1= [rj\e{p) iffV^i, /2 G . 77 (^ 1 ) = 77 (^ 2 ) we have V/ii, h .2 G V“ . p{E\e\{hi,li)) = 
p(£|e](h. 2 , h))- Being the variable public, the secrecy of the expression distributes on 
the assignment when the partition induced by the input observation is more concrete 
than the output one. This condition on the induced partitions is necessary only when 
there are public variables for which the assignment behaves as nil (see N2). Rule N4 
says that an assignment to a high variable is always secret when the partition induced 
by input observation is more concrete than the output one since an assignment to pri- 
vate variables behaves as nil for the public variables. Indeed note that if, for example, 
we have the statement h := h + 1, then clearly p{\h •= h + Zi)^) = p{l\) 

and p{\h ■= h + l](/i, ^ 2 )'") = p{W)- This means that also in this case narrow non- 
interference corresponds to saying r]{li) = rjih) p{h) = p{h)- Both N3 and N4 
consider closures on tuples that are tuples of abstractions, as in 14. Rule N5 shows how 
we can compose the attackers in presence of sequential composition of programs. In 
particular two programs ci and C 2 compose secretly when ci is secret for the output ob- 
servation which is the input one that makes C 2 secret. N6 controls the while-statement. 
In particular the condition {p}l c {p}l states that the program c is not acting on the 
property p of the public data, namely p is invariant in the execution of c, in the sense 
that the property p of public data is not changed by the execution of c. If this happens 
then the behaviour of c observed from p is the same as the program nil, and therefore 
the fact that the while is executed or not is not distinguishable from an observer. We 
apply this rule also when the guard is a low variable, because narrow non-interference 
may observe also deceptive flows. N7 is the consequence rule, which states that we can 
concretize the input observation and we can abstract the output one, as observed in [16]. 
Finally N8 and N9 says that both the least upper bound and the greatest lower bound of 
output observations making a program secret, still make the program secret. We denote 
hyN = X U {NO, . . . , N9} the proof-system for narrow abstract non-interference and 
hy No =X U |N1, . . . , N9} the same proof system without the semantic rule NO. Next 
result specifies that the proof-system, without the rule NO, is sound. 

Theorem 3. Let P G Imp and rj, p G uco(Y^). [v]P{p) then ^ [rj\P{p). 

Example 2. Consider the closure which observes parity, and the program: 

P E I :=2* h; while h do I := I + 2; h := h — 1 endw 

with security typing: t = {h : E, I : L) and = Z. We have [T]2 * h{pi) 

where pi is the closure which is not able to distinguish even numbers, i.e., pi = 
Y ({2Z} U { {77} I n odd }). Therefore, by N3, we obtain [T]( := 2 * h{pi) (note that 
since there is only one low variable we ignore the condition 7T(?7) C II{p)). Consider 
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now the while-statement. We note that the operation I + 2 leaves unchanged the par- 
ity of I, this means that if the input is even the the output is even, and similarly if it 
is odd. Namely for each n such that (n) = (1) then (f |Z + 2](/i, n)) = 

(n + 2) = (n) = (/). Therefore {Par} {I + 2, 1) [Par] which implies 

{Par} {I + 2, 1) {Par} h : H 

{Par}i. I I + 2 {Par}i, {Par}i. h h + 1 {Par}i. 

Therefore, by 15, we have that {Par}i. I := I + 2; h := h — 1 {Par}:,. Now we can 
apply rule N6 obtaining 

{Par}:, I ■= I + 2\ h •.= h — 1 {Par}:, 

[Parjwhile hAol~l-\-2\ h ~ h — 1 endw(Par) 

Finally note that pi C hence by N7 we have also that [T]l := 2 * h{Par), 
therefore we can apply rule N5 and we obtain that [T]P{Par). 

Unfortunately the system A/q is not complete, and in particular N5 is the rule that 
introduces incompleteness. 

Example 3. Consider the property observing parity, and the following program P 
with security typing: f = (/i : H, U L) and = Z. 

P = i := 4 * -f 4; while hdo I := I mod 4; h := 0 endw 

Let us denote c = while h do I \= I mod 4; h := 0 endw. We can prove that we 
have 1= [T]/ := 4/i^ + 4(pi), where pi is defined in Example 2, and |= [T]P(pi). But 
we can show that we have ^ [pi]c(pi) since pi(|c](0, 5)^) = 5 pi(|c](l,5)^) = 1. 

This means that [T]P(pi). 

It is clear that rule NO makes the proof system complete. This is a straight conse- 
quence of Theorem 1 . 

Corollary 1. The proof-system Af is complete. 

We now introduce in Table 3 a proof-system for abstract non-interference, i.e., mod- 
eling how {rj)P{p) assertions compose inductively on program’s syntax. The rules AO 
and A1 in Table 3 are similar to the ones in Table 2. The rule A2 differs from N2 since 
abstract non-interference avoids deceptive flows. In rule A3 we consider the general- 
ization of the notion of abstract non-interference to expressions as we made for the 
narrow one. Moreover, as in N3, we consider here only abstractions of tuples that are 
tuples of abstractions. A4 is straightforward. In order to understand the difference from 
N4 consider the example used for explaining N4, i.e., h := h-\- 1 then in abstract non- 
interference we compute the following sets: p(|/i := h-\- ?7(/i))'") = p{rj{li)) and 

p{\h := h-|- 77(^2 ))’") = p(t 7(Z2)), which are clearly the same when 77(^1) = 77(^2 )■ 
The major difference between narrow and abstract non-interference is in rules AS. In 
this case we need to consider a narrow assertion for C2 involving disjunctive domains. 
This is due to the fact that by definition abstract non-interference checks input prop- 
erties on singletons while the output of the abstract non-interference assertion for c\ 
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Table 3. Axiomatic abstract non-interference 



(7?)[c](id) C p 

AO: 

(vHp) 



Al: (r?)c(T) A2: (? 7 )nil(p) 



{ri)e{p), X : L 
{r])x := e(p) 



X : H iv)ci{Y (p)), [p]c2(Y (/3)) {p}l c {p}l, X : H 

A4: A5: A6: 

{rj)x := e{p) (7])ci; C2(Y(/3)) (p)while a; do c endw(p) 

(p)c(p), X : L (?7)c(p'), p'Ep Viel.{rj)c{pi) ViGl .{rj)c{pi) 

All : A8: — A9: — AlO: — 

(? 7 )while X do c endw(p) (p)c(p) (p)c(Ui6/ Pi) (P)c(riie/Pi) 



deals with properties of sets of values. In order to cope with this ‘type mismatch”, we 
need to strengthen the natural counterpart of rule N5 for abstract non-interference. Next 
example shows that hy considering abstract non-interference for C 2 is not sufficient to 
achieve soundness. 

Example 4. Consider and the program P in Example 3. We can prove that we 
have (T)^ := + 4(Par) and (Par)c{p), where p = U {0}. But we can show 

that ^ (T)Z := + 4; c(p) since p(p := 4/i^ + 4; c](0, Z)’") = p(4) = 2Z while we 

have p(p := 4/i^ + 4; c](l,Z)^) = p(0) = {0}, namely they are different. 

Moreover note that A5 requires that for both ci and C 2 the output closures are addi- 
tive maps, i.e., disjunctive abstract domains, as shown in the following example. 

Example 5. Consider the following program P with security typing: t = {h : B., I : L) 
andV“ = V^ = Z 

P = ci; C 2 = / := (h mod 2)(2Z mod 4) -b (1 — (/i mod 2))(/ mod 2 + 1); 

I := {I mod 2) * 4h + (1 — {I mod 2)) * (4h + 1) 

Consider p = {Z, 4Z, 4Z + 1, 4Z -b 2, 4Z + 3, 0} (not additive), then (T)ci(p) since 
Vh G 2Z p(|ci](/i,Z)^) = p({l,2}) = Z, andVh G 2Z+ 1 we have p(|ci](h, Z)^) = 
p({0, 2}) = Z. On the other hand it is simple to show that [p]c 2 (p) since this statement 
leaves unchanged the abstraction of /. But if we consider the composition then we have 
that ^ (T)P(p) because if h, G 2Z then p(|P](/i, Z)’") = p({4/i, Ah+ 1}) = Z while if 
h G 2Z + 1 then p(|P](/i, Z)’") = p({4/i + 1}) = 4Z + 1. Note that the first statement 
is not secret if we consider the disjunctive completion of p in output. 

Rule A6 is equal to N6, since also A5 requires narrow non-interference. Rule A7 
is straightforward from the definition of abstract non-interference and was absent in 
narrow one for the presence of deceptive flows. The last three rules (A8, A9 and AlO) 
change since in abstract non-interference we cannot concretize the input observation. 
The proof-system in Table 3 is denoted A = AfU {AO, . . . , AlO} and the proof system 
without the semantic rules AO is denoted as Ao = Mq U |A1, . . . , AlO}. The follow- 
ing theorem proves the soundness of the proof-system Aq with respect to the standard 
semantics of Imp. 
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Theorem 4. Let P G Imp l>e a program and rj,p G uco{Y^). If\^Ao {v)Pip) then 

h {p)P{pl 

Example 6. Consider and the program P in Example 3. We can prove that (T)Z := 
-|-4(Par) and [Par\c{Par) therefore (T)Z := 4h^-|-4; c{Par). Indeed if we consider 
h = 4and/2 = 8 then clearly T (4) = T(8) = T hut (p := + cl(0,T)^) = 

(|cl(0,4h2-p4)L) = (4h2+4) = 2Z,while (p := 4/i2 + 4; cl(l, T)^) = 

(|c](l,4h^ -I- 4)^) = (0) = 2Z, namely they are the same. 

Example 7. Consider the program fragment 

P = I ■= 2^; while h do I := 2 * 1; h := h — lendw 

with security typing: t = ih ■. YiA ■. h) and V** = = N. First of all we note that 

(T)2^(pi), where pi = Y ({{2}^} U { n | n ^ {2}^ })• This means that we can apply 

A3, obtaining (T)Z := 2^(pi). Consider now the while- statement that we denote by c 
and the closure P2 = Y({ ?t{2}^ | n G N odd }). We note that {p 2 } (2 * /, 1) {p 2 } and 
therefore, by 14 we have {p 2 }l I := 2 * I {p 2 }l- On the other hand, by 13 we have 
{P 2 }l h ■= h—1 {p 2 }l, and therefore by 15 we obtain {p 2 }l ^ := 2 * /; h := h—1 {p 2 }l- 
Now we can apply A6 obtaining [p 2 ]while h do I := 2 * 1; h := h — 1 endw(p 2 ) and 
therefore we use A5 obtaining (T)P(p 2 ). 

The following example shows that the proof- system Ao for abstract non interference 
in Table 3 is not complete. 

Example 8. Consider the closure p = {Z, 2Z, 4Z, 0} and consider the program 
P = while hdo I := {I mod 4) * (/ -P 4); h := 0 endw 

with security typing: t = (h : H,l : L) and = V'- = Z. Note that (p)P(p) since, 
for example, p(|P](l, 2Z)^) = 2Z = p(|P](0, 2Z)^). But we have that ^ {p}l P {p}l 
since p([Pl(l, 2)^) = p(0) = 4Z Y p(2) = 2Z. 

The example above shows that A6 is not complete, but it is not the only incom- 
plete rule. In particular, by the same argument used in Example 3 for N5, A5 is also 
incomplete. Even A7 is incomplete as shown in the following example. 

Example 9. Consider p = {Z, {0}, 2Zg, 2Z -|- 1, 0}, where 2Zg = 2Z \ {0}, and 

P = while 1 1 do I 2 := iszero(/i) * h^; li := 0 endw 

with security typing: t = {h : : L) and iszero(a:) = 1 if a; = 0 and 

iszero(x) = 0 otherwise. Then we show that Y {p)h '■= iszero(Y) * h^', h '■= 0(p) 
since, if we take the low input (0, 2 Zq) then we have p(p 2 := iszero(/i) * h^; li := 
01(1,(0,2Zo))Y = P((0,1)) = (0,2Z+ 1) Y (0,2Zo) = p(p 2 := iszeropi) * 
li := 0](2, (0,2Zo))'"). But it is worth noting that (p)P(p) since for example 
p([P1(Y(0,2Zo)Y) = (0,2Zo) and p([Pl(Y (2Zo,2Zo)Y) = (0,0). 

All the other rules are complete. As above, for the proof-system for narrow abstract 
non-interference Af, also for abstract non-interference, the semantic rule AO makes A 
complete. This is a straight consequence of Th. 1 . 
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Corollary 2. The proof-system A is complete. 

Next result specifies a relation between derivations in the narrow and abstract non- 
interference proof systems. This result is in accordance with the expected relation be- 
tween narrow and abstract non-interference, the first being stronger. 

Theorems. Let P € Imp be a program and ri,p G uco(V^). [v]P(p) then 

^Ao {n)P{p)- 

Next example shows that A is strictly weaker than N. We show that if |= [rj\P{p) 
and h_ 4 p {ri)P{p), the fact that [ri]P{p) ^ {rj)P(p) does not imply that h^Vo W-P(p)- 

Example 10. Consider the property and the program: P = h \= h-\-f I := 2* h, 
with security typing: t = {h : H, I : L) and V** = = Z. Note that [Sign]P(Par) since 

V/ G k G we have (|P](/i, l)^) = (2 * h) = 2Z. This means also that 

j= {Sign)P{Par). But note that ^ [Sign]h := h + l{Par) since. (2) = . (3) = 

Z+and {{h := h + ll(h,2)^) = (2) = 2Z 7^ (|/i := + 1 ](/i,'3)L) = 

(3) = 2Z -I- 1. This means that l/yj/p [Sign]P{Par). On the other hand we have that 
{Sign)h := h -\- l{Par) and \Par]l := 2 * h{Par), therefore we can use AS 
since is disjunctive, and therefore we infer (Sign)P{Par). 



5 Discussion 

We have introduced a sound proof-system for both narrow and abstract non-interference. 
The advantage of a proof-system for abstract non-interference is that checking abstract 
non-interference can be easily mechanized. Both JV and A can benefit of standard ab- 
stract interpretation methods for generating basic certificates for simple program frag- 
ments (rules NO and AO). The other rules allow us to combine certificates from program 
fragments in a proof-theoretic derivation of harmless models of attackers, certifying 
program secrecy. The interest in this technology is mostly related with its use in a la 
proof carrying code (PCC) verification of abstract non-interference, when mobile code 
is allowed. In this case in a PCC architecture, the code producer may create an ab- 
stract non-interference certificate that attests to the fact that the code secrecy cannot be 
violated by the corresponding model of the attacker. Then the code consumer may vali- 
date the certificate to check that the foreign code is secure for the corresponding model 
of attacker. The implementation of this technology requires an appropriate choice of 
a logic for specifying abstractions and an adequate logical framework where the logic 
can be manipulated. We believe that predicate abstraction [15, 21] is a fairly simple and 
easily mechanizable way for reasoning about abstract domains. More appropriate log- 
ics can be designed following the ideas in [2], even though a mechanizable logic for 
reasoning about abstractions is currently a major challenge in this field and deserves 
further investigations. The language we used is quite simple. Even though abstract non- 
interference made secrecy a purely semantics problem, any extension of Imp and its 
semantics with for example probabilistic choice, non terminating computations, and 
concurrency, may require a redesign of the proof-systems for narrow and abstract non- 
interference. It would be particularly interesting to extend Imp with concurrency. The 
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main interest in this extension deals both with the chance to reduce protocol verifica- 
tion to non-interference problems and with the possibility of modeling active attackers 
as abstract interpretations in language-based security. The models of attackers devel- 
oped in abstract non-interference are indeed passive [16]. Active attackers would be 
particularly relevant in order to extend abstract non-interference as a language-based 
tool for protocol validation. 
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Abstract. Classical linear-time temporal logic (LTL) is capable of spec- 
ifying of and reasoning about infinite behaviors only. While this is 
appropriate for specifying non-terminating reactive systems, there are 
situations (e. g., assume-guarantee reasoning, run-time verification) when 
it is desirable to be able to reason about finite and infinite behaviors. 
We propose an interpretation of the operators of LTL on finite and infi- 
nite behaviors, which defines an intuitionistic temporal logic (ILTL). We 
compare the expressive power of LTL and ILTL. We demonstrate that 
ILTL is suitable for assume-guarantee reasoning and for expressing prop- 
erties that relate finite and infinite behaviors. In particular, ILTL admits 
an elegant logical characterization of safety and liveness properties. 



1 Introduction 

Linear-time temporal logic (LTL) [18] is a convenient specification language for 
reactive systems. The underlying computational model is that of an infinite be- 
havior, i.e., a non-terminating sequence of interactions between the system and 
its environment, which makes LTL a specification language for infinite behav- 
iors only. In theory, this is not a problem because every reactive system with 
finite (and infinite) behaviors can be transformed into one which exhibits only 
infinite behaviors. In practice, however, it is sometimes essential to reason about 
finite and infinite behaviors simultaneously and, perhaps, to distinguish finite 
from infinite behaviors. For example, in run-time verification one needs to relate 
observed (real) finite behaviors to specified (ideal) infinite behaviors in order 
to determine whether the observations violate the specification or not. Or, in 
modular verification, one has to check that a component satisfies an assume- 
guarantee specification, which amounts to checking that the component keeps 
satisfying the guarantee at least as long an arbitrary environment satisfies the 
assumption. Here again, assumption and guarantee are specified as sets of infi- 
nite behaviors whereas it is natural to view the component as a prefix-closed set 
of finite (and possibly infinite) behaviors. 

There are various suggestions as how to extend LTL to finite behaviors. For 
instance, [12] extends the logic with weak and strong next operators whose in- 
terpretations differ at the end of finite behaviors. Likewise, [7] interprets LTL 
formulas by weak and strong semantics, which also differ on finite behaviors. In 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 295—309, 2004. 
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contrast, we propose a semantics for LTL that treats finite and infinite behaviors 
uniformly. Inspired from the above view of reactive systems as prefix-closed sets 
of finite and infinite behaviors, our semantics is based on prefix-closed sets. This 
gives rise to a Heyting algebra of prefix-closed sets rather than a Boolean alge- 
bra (because the complement of a prefix-closed set need not be prefix-closed), 
so we end up with ILTL, an intuitionistic variant of LTL. The idea of using the 
Heyting algebra of prefix-closed sets of behaviors as the semantic basis for an 
intuitionistic logic can also be found in [3], [2] and [13]. However, the interpre- 
tation of the temporal operators of LTL in this Heyting algebra seems novel to 
this paper. Departing from the semantic approach to temporal logic, [6] studies 
a fragment of ILTL, namely the one generated by the temporal next-operator, 
using proof-theoretic methods. 

In temporal verification, the classification of safety and liveness properties, 
informally introduced by Lamport [11] and made precise by Alpern and Schnei- 
der [4], plays an important role because many (deductive) verification methods 
are applicable only to safety or liveness properties. Still, these methods are uni- 
versal thanks to the decomposition theorem [4] (and its effective version for 
w-regular properties [5]) stating that every linear-time temporal property can 
be expressed as a conjunction of a safety and a liveness property. Clearly, a sim- 
ilar classification of safety and liveness properties and a decomposition theorem 
for our intuitionistic logic ILTL would be desirable. We present a novel abstract 
classification of safety and liveness properties in a Heyting algebra, which is 
immediately applicable to all intuitionistic linear-time temporal logics including 
ILTL, and we prove a decomposition theorem. As the classification only uses the 
operators of the Heyting algebras, we obtain a simple logical characterization of 
safety and liveness and an effective decomposition theorem for free. 

Over the years, there has been a body of work about safety and liveness. In 
the direction of generalizing the topology-based results of Alpern and Schneider, 
[9] proves a decomposition theorem for disjunctively complete Boolean algebras, 
which [16] generalizes to modular complemented lattices. Our results subsume 
[9] because every Boolean algebra is a Heyting algebra. However, a modular com- 
plemented lattice need not be a Heyting algebra, and vice versa, so [16] is neither 
subsumed nor does it subsume our results. Beyond linear-time, [15] proposes a 
classification of safety and liveness for branching time. Concerning effective rea- 
soning with safety and liveness properties, [12] gives syntactic characterizations 
of safety and liveness properties in LTL with past operators; [19] does the same 
without using past operators. Interestingly, in the introduction to [17], Plotkin 
and Stirling shortly put forward some ideas about an intuitionistic linear-time 
temporal logic and a corresponding classification of safety and liveness proper- 
ties. We consider it likely that their ideas give rise to the same classification of 
safety and liveness as ours. 

, Section 2 introduces some notation. Section 3 defines the intuitionistic 
temporal logic ILTL, compares it to its classical companion LTL and illustrates 
the use ILTL as a semantic basis for assume-guarantee specifications. Section 4 
introduces intuitionistic safety and liveness and compares these notions to the 
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classical ones proposed by Alpern and Schneider [4], and Section 5 presents 
a more abstract algebraic view on intuitionistic safety and liveness. Section 6 
concludes. Proofs which have been omitted here due to lack of space can be 
found in [14]. 



2 Preliminaries 

^ ^ ^ We fix a non-empty set of atomic propositions. By S, we denote 

the power set of . Given p G , we abbreviate the set of sets containing 
p by Up, i. e., Sp = {a G S \ p G a}. By E°°, we denote the set of non-empty 
words over the alphabet E. Words can be of finite or infinite length, so E°° is 
partitioned into E^ and the sets of finite and infinite words, respectively. 
Here in the context of discrete linear-time, a behavior is just a word in E°° . 

^ ^ ^ ^ By = (V{E°°),r),U), we denote the 

power set lattice of E°°, ordered by C. Frequently, we will refer to the elements 
of this lattice as languages or properties. 

We call a function C : V{E°°) V{E°°) a closure operator on E°° if C is 

inflationary, idempotent and monotone, i. e., for all L,L' C E°°, L C C{L) and 
C{C{L)) = C{L) and L C U implies C{L) C C{L'). We call C a topological 
closure operator on E°° if C is a closure operator which distributes over finite 
joins, i. e., C{%) = 0 and for all Li,L 2 Q E°°, C{Li U L 2 ) = C{Li) U C{L 2 ). 

, V . , , , We define inf :'P(A“) 

as mapping a language L to inf(L) = L D E‘^, the set of infinite behaviors in 
L. Note that inf is an endomorphism of the complete lattice in par- 

ticular inf preserves infinite joins and meets. By , we denote the range of 
inf, i. e., = {inf(L) | L C E°°} = V{E‘^). Due to inf being an endomor- 
phism, induces a complete sublattice of which turns out to be 

a complete lattice of sets. In fact, INF = ( , n, U, — , A’‘^, 0) is a complete 

Boolean algebra, where the unary operator — denotes complementation, i. e., 

-L = {w G E‘^ \ w i L}. 



f ^ r ,r . ^ I I ‘ i II prefix order 

on E°°, and let pref('ic) = {u G E°° | u ^ w} denote the set of all prefixes of 
a behavior w G E°° . Thus, pref : E°° V{E°°) is a function from behaviors 

to languages. We extend the domain of pref to languages in the usual way, 
i.e., we define pref : V{E°°) V{E°°) by pref(L) = Uiugl Note 

that pref is a closure operator on E°° , which is why we call a language in 
the range of pref prefix-closed. Moreover, pref preserves infinite joins, yet in 
general, it does not preserve meets, not even finite ones. By , we denote 

the range of pref, i.e., = {pref(L) | L C E°°} is the set of prefix-closed 

languages. Despite pref not preserving all meets, induces a complete 

sublattice of which turns out to be a complete lattice of sets. In fact, 

PREF = ( , n, U, =^>, 0) is a complete Heyting algebra, i.e., for all 
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languages Li,L2 € there is a greatest language L S , namely 

L = {w G I pref(w) n Li C L2}, such that Lif] L C L2- We call L the 
relative pseudo-complement of Li and L2 and denote it by Li L2- 

3 Linear-Time Temporal Logics 

The set of formulas ^ , of the linear-time temporal logics considered in this 
paper is defined by the following grammar, where p ranges over the atomic 
propositions , and p and ip range over ^ , . 

::= Tl^lplpAiplifVtplip^ipl | X(/? | F<^ | Gp \ plJ ip \ pW ip 

For p,ip G ^ , , we treat p ip as a, shorthand for (p —>■ ip) A {ip —>■ p) . To 
save on parenthesis, we adopt the convention that the unary operators ^ (nega- 
tion), X (next), F (eventually) and G (always) have the highest binding power, 
followed by the binary operators U (until) and W (weak until). The remaining 
binary operators follow with binding power decreasing in the usual order from 
A (conjunction) to V (disjunction) to ^ (implication) to ^ (equivalence). 

We say that a formula is in negation normal form (NNF ) if it does not contain 
implication nor equivalence and negation is applied only to atomic propositions. 

3.1 Classical Semantics 

By interpreting formulas over the Boolean algebra INF, we provide a semantical 
definition of the classical linear-time temporal logic where the classical 

interpretation function Mode is defined recursively in figure 1. 

This definition makes use of the monotone functions nextc and untilnext[Li, L2]c 
(with parameters Li, L2 G ) on , which map a language L to nextc(T) = 
SL and untilnext[Li, L2]c(T) = L2 U (Li n nextc(T)), respectively. 

Given sets of formulas and <F, we say that classically entails F, denoted 
by he if n<pe<i>^odc(v3) C fj^g^Modc(h)- If is a singleton set {p}, 
we may omit set braces and write p he I' in place of {</?} he '^5 similarly for 
'F = {ip}. If F is the empty set, we may write he ^ in place of 0 he We call 
Ip a classical tautology if he h- 

3.2 Intuitionistic Semantics 

Similar to the classical logic above, we define an intuitionistic variant called 
by interpreting formulas over the Heyting algebra PREF , where the intu- 
itionistic interpretation function Modi : , . ^ is defined recursively in 

figure 2. This definition uses the monotone functions nexti and untilnext[Li, L2]i 
(with parameters Li, L2 G ) on , which map a language L G 

to nexti(L) = X U XL and untilnext[Li, L2]i(L) = L2 U (Li n nextj(L)), respec- 
tively. 



^ Although presented differently, this semantics agrees with the standard semantical 
definition of LTL, cf. [18] or [8]. 




Intuitionistic LTL and a New Characterization of Safety and Liveness 



299 




Fig. 1. Classical interpretation of formulas 



Given sets of formulas and W, we say that <P intuitionistically entails W, 
denoted by $ |=i if Modi((/?) C Modi (■;/')• As in the classical case, 

we may omit set braces around single formulas, and we may omit the empty set 
on the left-hand side. We call ip an intuitionistic tautology if ip. 

Proposition 1. ^ , >, ‘P , - , V \=i 4’ . \=i P ^ 4 

In summary, the definition of the intuitionistic semantics is largely analogous 
to the definition of the classical semantics, except for the intuitionistic interpre- 
tation of implication and negation and a slight difference in the treatment of 
the next operator. Note that these differences are forced by the carrier of 

the Heyting algebra, as the classical interpretations do not result in prefix-closed 
sets. 

3.3 Expressive Power 

Comparing the expressive power of and amounts to comparing the sets 
of behaviors that can be specified by formulas in these logics. Unfortunately, 




Fig. 2. Intuitionistic interpretation of formulas 
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and interpret formulas over the two different algebras INF and PREF, 
so we cannot directly compare their interpretations. However, using the defining 
mappings inf : V{S°°) and pref : V{S°°) of these algebras, 

we can map the carrier of each algebra to (a subset of) the carrier of the other 
and thus compare. 



I INF First, we compare and in the Boolean 

algebra of sets of infinite behaviors INF, i.e., we restrict the intuitionistic se- 
mantics to infinite words via inf. The proposition below relates the semantics 
for formulas in negation normal form. From this proposition follows that intu- 
itionistic entailment of formulas in NNF implies classical entailment and that in 
INF, is at least as expressive as 

Proposition 2. , Lp ^ ^ ^ Modc(tp) = inf(Modi((/?)) 

Corollary 3. ^ ^ \=i I' , ^ \=c I' 

Corollary 4. ^ INF ^ ' 1 1 , 

It is unknown whether the converse of Corollary 4 is also true, i.e., whether 
for all formulas V’ there exist formulas (p such that inf (Modi (f/;)) = Modc(v?). We 
conjecture that this is the case. However, this seems difficult to prove since in 
intuitionistic logics, we cannot use equivalence transformations to normal forms 
like NNF. 



I PREF Now, we compare and in the Heyting 

algebra of prefix-closed sets of behaviors PREF, i.e., we extend the classical 
semantics into prefix-closed sets via pref. The proposition below shows that the 
two logics cannot be equally expressive in PREF. 

Proposition 5. , , , ^ pref (Mode ((/?)) = E = Mod;(XT) 

This implies that either the two logics are incomparable or is strictly 
more expressive than , but it is not known which case holds true. We conjec- 
ture that is more expressive than , yet proving this, i.e., proving that 

for all formulas (p there exist formulas ip such that pref(Modc(</9)) = Modi('i/;), 
might require a lemma similar to Proposition 2. However, such a lemma seems 
difficult to obtain. In particular, the proof of Proposition 2 cannot be directly 
adapted since it exploits the fact that inf distributes over intersections, which 
pref does not do. 

3.4 Application: Assume- Guarantee Specifications 

Modular verification naturally demands for so-called assume-guarantee specifica- 
tions (A-G specs), which are pairs of formulas in some temporal logic. Informally, 
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a component of a system satisfies an A-G spec (f ^ xp ii the component sat- 
isfies the guarantee ip at least as long as its environment (including the other 
components) meets the assumption ip. Once A-G specs are available for all com- 
ponents, properties of the global system may be deduced from the composition 
(i.e., conjunction) of these A-G specs instead of the (potentially large) parallel 
composition of all components. Due to possibly circular dependencies between 
assumptions and guarantees, composing A-G specs in a sound way requires non- 
trivial composition rules, see for instance [1], [10] or [13]. 

In the Heyting algebra of prefix-closed sets of finite behaviors, [3] demon- 
strates that under a suitable notion of concurrency (shared variables and inter- 
leaving execution) an A-G spec p^ip corresponds to an intuitionistic implication 
ip—>-ip, which gave rise to composition rules based on conjunction of intuitionistic 
implication. Later, Abadi and Merz [2] found a more general interpretation of 
the operator which again can be reduced to intuitionistic implication. Here, 
we present their interpretation of -b in PREF , the Heyting algebra of prefix- 
closed sets of finite and infinite behaviors. For (p,ip G ^ , , the semantics of 
(p ^ Ip is defined by 

Modi((/? Aj. ^) 

= {w G I Vv G pref(w) : pref!(w) C Modi((/?) implies v G Modi(V')} j 

where pref! : —>■ maps behaviors to their sets of proper prefixes, 

i.e., pref!(u) = pref(u) \ {u}. By well-founded induction on the prefix order, [2] 
proves that for all p,ip G ^ . , Modi((/? ip) = Modj((^/’ ^ (^) — > ip), hence in 
PREF, A-G specs are merely short hands for intuitionistic implication. This 
fact is exploited in [2] to develop concise soundness proofs of various proof rules 
for conjoining circularly dependent A-G specs. 

A general observation about such composition rules for A-G specs is that 
they essentially only admit circular dependencies on safety properties. In classi- 
cal linear-time temporal logics, this can be achieved by decomposing properties 
into their safety and liveness parts — which is always possible thanks to the 
decomposition theorems in [4] and [5] — and disallowing circular dependencies 
on the liveness parts. Therefore, it is natural to ask for similar decomposition 
theorems for intuitionistic temporal logics. 

4 Safety and Liveness 

In this section, we introduce notions of safety and liveness for the intuitionistic 
temporal logic and compare them to the corresponding notions for as 

proposed by Alpern and Schneider [4]. Actually, Alpern and Schneider did not 
define safety and liveness for but for the Boolean algebra INF of sets of 
infinite behaviors, over which formulas are interpreted. Gonsequently, we 
define safety and liveness for the Heyting algebra PREF of prefix-closed sets of 
finite and infinite behaviors. 
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4.1 Safety and Liveness in Classical Logics 

We start by reviewing the standard notions of safety and liveness for classical 
linear-time temporal logics as introduced in [4]. There, safety and liveness are 
defined in terms of a topology on — in fact, the Cantor topology on if S 
is finite — which is induced by the topological closure operator ^ c on with 
^ c(L) = {w € E"-^ I pref('u;) n E~^ C pref(L)} for all L C E"^. We call L G 
a , , , > , • ' , . if L is closed, i. e., , c{L) = L, and a , ^ ^ , , 

. if L is dense, i. e., , c(L) = E‘^. 

As closed sets of a topological space, classical safety properties are closed 
under finitary disjunction and infinitary conjunction. And as dense sets, classical 
liveness properties are closed under infinitary disjunction and under implication. 



Proposition 6. w G , Li,L 2 G 
E^ , , , 

. -bl , - ^2 , ^ ^ ' , 

. ,, L G C , , . ' 



, . , CC 



Li U L 



n 



Le£ 



L 



2 



Proposition 7. Li,L 2 G 

. , , . Lq G C ^ ^ ^ 

.L2 , , , 



c C 



ULec ^ 



L\ L2 — ~L\ U L2 



It is instructive to see which logical operations do not preserve classical safety 
or liveness properties. In the following examples, let p and q be atomic proposi- 
tions. 



— Neither safety nor liveness properties are closed under negation. For instance, 
Modc(Gp) is a safety property but Modc(^Gp) = Modc(F^p) is a liveness 
property. 

~ Safety properties are not closed under implication. E. g., Modc(Gp) and 
Modc(G(7) are safety properties but Modc(Gp— > Gq) = Modc(F^pV Gq) is 
a liveness property. 

— Safety properties cannot be closed under infinitary disjunction. Otherwise, 
every L G would be a safety property because L = 

— Liveness properties are not closed under intersection. E.g., Modc(GFp) 
and Modc(FG^p) are both liveness properties but Modc(GFp A FG^p) = 
Modc(GFp A ^GFp) is not. 

The (trivial) property E^^ is the only one which is both a safety and liveness 
property, but there are many properties which are neither. For instance, L = 
Modc(p U q) is such a property because , c{L) = Modc(p U <7 V Gp) yf L and 
, c{L) yf However, [4] at least proves that all properties in classical linear- 
time temporal logics can be decomposed into their safety and liveness parts. 

Proposition 8. r L G , , , . ’ - 

' , ' , c(T)n(- e(L)UL) 
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4.2 Safety and Liveness in Intuitionistic Logics 

To transfer the notions of safety and liveness to the Heyting algebra PREF, we 
generalize the closure operator^ c : V{E‘^) — > V{S‘^) to, i : V{S°°) V{S°°) 

by defining , i(L) = {w G S°° \ pref(w) n C pref(L)}. It turns out that 
, i is a topological closure operator on S°° and hence induces a topology — 
in fact, it induces the Scott topology on S°° (ordered by the prefix order) if 
S is countable. Thus, we can reuse the topological definitions of safety and 
liveness and call L G an , . 'if, i(-^) = 

, , , , >111 I 'if, iW — 

Note that , i is algebraically definable in PREF because for all L € , 

, i(L) = {ic G I pref(ii;) n C L} = ^ L. Therefore, L is an intuition- 
istic safety property iff E~^ ^ L = L iff E^ L C L, and L is an intuitionistic 

liveness property iff E^ L = E°° iff E^ C L iff E~^ U L = L. For compre- 

hending these algebraic definitions, the following intuition might help. Safety 
and liveness properties differ fundamentally in the way they constrain finite and 
infinite behaviors. If a safety property is refuted then it can always be refuted 
by a finite behavior, whereas a liveness property can never be refuted by a finite 
behavior. So one could say that a safety property L essentially only constrains 
finite behaviors in the sense that whenever all finite prefixes of an infinite be- 
havior w satisfy L (i. e., w G E~'~ L) then w satisfies L. Likewise, a liveness 
property L essentially only constrains infinite behaviors in the sense that all 
finite behaviors satisfy L. 

Intuitionistic safety and liveness properties are closed under essentially the 
same logical operations as their classical counterparts. Additionally, intuitionistic 
safety properties are closed under (intuitionistic) implication and negation, and 
intuitionistic liveness properties are closed under infinitary conjunction. 



Proposition 9. 



0 , , , 
pref(w) ^ ^ 

. Li I - L 2 

. >> L G C 



. L 2 

, L 



w G E^ ^ Lj Li^ L 2 G 






^ ^ ^ ^ Li U L2 

I II I riLeC'^ 
L\ L 2 
—L = L 0 



^ ^ , Claims 2 and 3 follow from the definition of safety because 0 = 0 

and E^ pref(rc) = {v G E°° \ pref(t>) n E^ C pref(w)} = pref(ru). All other 
claims follow from Propositions 15 and 17 and Corollary 16, see next section. □ 



Proposition 10. LuL2 G 



. , , , Lq G C ^ 

. L 2 ^ / ; ; 

. >, L G C 






/ ULeC 
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^ ^ , Follows from Proposition 18, see next section. □ 

We notice that intuitionistic safety properties are not closed under infinitary 
disjunction, for the same reason as in the classical case. And intuitionistic liveness 
properties are not closed under (intuitionistic) negation. E. g., Modi(Fp) is a 
liveness property but Modi(^Fp) = Modi(_L) is not. 

Similar to the classical case, S°° is the only property which is both an intu- 
itionistic safety and liveness property, cf. Proposition 20. Again, there are many 
properties which are neither; this follows from Proposition 13 below. Yet, there 
is also the following decomposition theorem. 

Proposition 11. . L G , , . 

, , ,, , L= iS+^L)n{S+UL) 

^ ^ , Follows from Proposition 19, see next section. □ 

So far, our approach to safety and liveness was purely semantical, relying only 
on the operators of the Heyting algebra PREF and the constant A+ . However, 
these operators correspond to the intuitionistic connectives of , and 
is expressible in , namely 27+ = Modi(F_L). Immediately, this gives us a 
simple logical characterization of intuitionistic safety and liveness and a logical 
formulation of the decomposition theorem. 

Corollary 12. ip , , , , 

, , , , , , , ' ' , hi (F-L ^>p)^ip 

, , , , , , > i a , hi F-L ^ 

hi (FA p) /\ (FA V p) 

4.3 Classical Versus Intuitionistic Safety and Liveness 

In Section 3, the mappings inf : P(27°°) — > and pref : P(27°°) ^ 

were used to compare the expressive power of the logics and . Now, we 
will use the same mappings to investigate the relationship between the classical 
notions of safety and liveness and their intuitionistic counterparts. 

It turns out that the intuitionistic notions of safety and liveness subsume the 
classical ones because every classical safety resp. liveness property is mapped to a 
corresponding intuitionistic property via pref. However, only the classical notion 
of safety subsumes the intuitionistic one in the sense that every intuitionistic 
safety property is mapped to a corresponding classical property via inf. For 
liveness this is not the case. For instance, 27+ is an intuitionistic liveness property 
to which no corresponding classical property exists, in particular inf (27+) = 0 is 
not a classical liveness property. 

Proposition 13. L G 

L ^ ' , , . , . ' , ' pref(L) 

L ^ , >>111 , ' pref(L) 
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Proposition 14. L S 

• ^ I I I III I ‘ ' I ' I , / 1 1 / I I 

, inf(L) ^ ^ ^ >>111 I ' I ^ I I I III II 

Note that the statements of Proposition 14 cannot be reversed. To see this let L = 
Modi(F_L V Gp), where p is an atomic proposition. Then inf(L) = Modc(Gp). 
Thus, inf(L) is a classical safety property but = S°° ^ L, so L is not an 

intuitionistic safety property. However, Q L, so L is an intuitionistic liveness 
property but inf(L) is not a classical one. 

5 Algebraic Characterization of Safety and Liveness 

In this section, we develop notions of safety and liveness and prove a decomposi- 
tion theorem for arbitrary Heyting algebras. Thus, we provide abstract algebraic 
proofs for the claims of the previous section about safety and liveness in the con- 
crete Heyting algebra of prefix-closed sets of behaviors PREF . 

Let H = {H, n, U, =^, T, T) be a Heyting algebra. We denote the order rela- 
tion on this algebra by □. Recall that (iJ, n,U) is a distributive lattice with T 
and T and for all x,y, z € H, z Q x^y if and only if xfl z Q y. This equivalence 
can be seen as the definition of x ^ y, the pseudo-complement of x relative to 
y. For X G H, we denote by —x the pseudo-complement of x, which is defined 
as —X = X T. Note that if the law of excluded middle holds in H (i.e., if 
X U —X = T for all x G H) then x y = — x U y. 

By we denote the join-irreducible elements in H, where j G H is 

join-irreducible iff j yf T and for all x,y G H, j = xLi y implies j = x or j = y. 
Note that for j G J{H) and x,y G H, j \GxUy implies J E or j C y because 
H is distributive. We call a subset S C H join-dense in H iff for every x G H 
there exists T C S such that x = |J T. We call a subset S C H a forest iff for 
each X G S, the set T = {y G S' | y C a;} induces a linear suborder of H, i. e., for 
all u,v G T, u Q V or V Q u. 

Throughout this section, we fix an arbitrary element a G H, relative to 
which we will define safety and liveness. In H, this a plays the role of in 
PREF, i.e., it separates the ‘finite’ from the ‘infinite’ behaviors. Remarkably, 
the closure properties (except for closure under negation) and the decomposition 
theorem below hold independent of the choice of a. Thus in PREF, we may well 
choose non-standard separating elements, for instance E, to define interesting 
non-standard notions of safety and liveness. 

5.1 Safe Elements 

We define the function safCa : H ^ H hy safea(x) = a x. The function safe^ 
is a closure operator, hence we call safCa the • We call an element 
X G H a ^ , if X is a fixpoint of this closure, i. e., safea(x) = x. 

We investigate whether safe elements are closed under the operations of the 
Heyting algebra and hence under the corresponding intuitionistic connectives. It 
turns out that safe elements are closed under implication and conjunction, even 
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Fig. 3. A Heyting algebra where the a-safe elements are not closed under join 



under infinitary conjunction. Whether safe elements are closed under negation 
depends on _L being safe. 

Proposition 15. x,yGH_ , SCH^ 

T , a, , 

• y , , a, , 

, ,, s G S o, , . , r|5',a,. 

^ ^ , Assume that y and all s G S' are a-safe. 

1. safeo(T) = a T = T. 

2. sa£ea{x^y) = a^{x^y) = (aria;)=^j/ = (a;ria)=^j/ = x^{a^y) = x^y, 
where the last equality holds because y is a-safe. 

3. safeo(n S) = a n '5' = rises(® ■s) = flses ■s = fl 'S'l where the second 

equality holds because completely distributes over meets on the right- 
hand side, and the third equality holds because all s are a-safe. □ 

Corollary 16. ^ , > , 

,, X G H X ^ a ^ ^ —X I a I . 

In general, safe elements are not closed under disjunction. For instance, in the 
Heyting algebra in figure 3, b and c are a-safe because a^b = b and c= c, 
but a (5 U c) = a o = T, so 6 U c is not a-safe. Yet, if the Heyting algebra 
H satisfies a natural condition, namely that the join-irreducible elements form 
a join-dense forest, then safe elements are closed under finite disjunction. 

Proposition 17. J{H) . ^ ; , , , , i ^ x,y G H 

. ^ - y , xUy ^ a ^ , 

^ ^ , Omitted due to lack of space; see [14] instead. □ 

Note that in the Heyting algebra in figure 3, safe elements fail to be closed 
under disjunction because the join-irreducibles b, c and T do not form a forest. 
However, in the Heyting algebra PREF of prefix-closed sets of behaviors, the 
join-irreducibles are the prefix-closures of single behaviors, i. e., J{PREF) = 
{pref(w) I w G 27°°}. Obviously, J{PREF) forms a forest, which is join-dense 
in PREF. Hence, safety properties in PREF are closed under finite disjunction. 
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5.2 Live Elements 

We define the function livea : H ^ H hy liveo(a:) = aUx. The function livCa is 
a closure operator, hence we call livCo the , element 

X € H a , if a: is a fixpoint of this closure, i. e., liveo(a;) = x. 

Similar to the case for safe elements, we investigate whether live elements 
are closed under the operations of the Heyting algebra and hence under the 
corresponding intuitionistic connectives. It turns out that live elements are closed 
under implication and under finitary and infinitary conjunction and disjunction. 

Proposition 18. x,y & H _ ^ , S,T C H ^ 

T , a, 

. y , 0- , , X ^ y ^ a , 

, ,, s € S a , 

,,,, to € T ^ a , ^ 

^ ^ , Assume that y and all s S S' are a-live, and let to € T he a-live. 

1. liveo(T) = a U T = T. 

2. As livea (y) = a U y = y, we have aQy = yr\{x^y) Q x ^ y. Hence 
liveo(a; t/) = a U (x y) = x y. 

3. As liveo(s) = aU s = s for all s G S, we have o □ s for all s G S, so a □ fl S. 
Hence livea (fl S) = aUriS = ri5'- 

4. liveodJ = aLl|jT = aUtoLllJT = toU|jT = |JT, where the third 

equality holds because to is a-live. □ 



5.3 Decomposition Theorem 

With the above notions of safety and liveness, just simple reasoning with the laws 
of Heyting algebras proves that every element of the algebra can be decomposed 
into a conjunction of a safe and a live part. 

Proposition 19. , x G H ^ ^ > > • , 

^ X = safea(a;) n livea (x) 

^ ^ , safea(a;) n livea(x) = (a x) n (a U x) = ((a x) □ a) U ((a x) □ x) = 
(anx)Ux = X, where the third equality holds due to the cancellation laws for the 
relative pseudo-complement in Heyting algebras, which say that yn(y=^z) = yfl^: 
and (y z) n z = z for all y,z G H. □ 

The above decomposition might be trivial, for instance in the case that x is 
both safe and live. However, the following proposition shows that this cannot 
happen for non-trivial x because safe and live elements are separated. 

Proposition 20. ,,,, , , , , , ^ ^ i ■ i - ^ , 

X G H ^ a ^ , , a, ^ x = T 
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^ ^ , Let X & H he a-safe and o-live. Then x = safea(a;) = safeo(livea(a;)) = 
a=^ (aUcc) = T, where the last equality holds because = T for all y, z € iL 

with y C z. □ 

Whether there are elements which are neither safe nor live (so that the above 
decomposition is really non-trivial) depends on the Heyting algebra. For exam- 
ple, all elements in figure 3 are a-safe (_L, b, c, T) or a- live (a, T). However as 
shown in the previous section, in the Heyting algebra PREF of prefix-closed 
sets of behaviors, there are elements which are neither L'+-safe nor If^-live. 

Finally, we note that when the Heyting algebra H happens to be a Boolean 
algebra, the definition of the liveness closure can be reduced to the safety closure, 
as it is the case in most decomposition theorems, see for instance [4] or [16]. 

Proposition 21. , , , . ' , . , , ^ i ■, ,, x G 

livea(a:) = safea(x) x 

^ ^ , safea(a;) ^ x = x U — safea(a:) = a; U —(a ^ x) = x U —(—a U x) = 
a; U (a n —x) = (x U a) □ (a; U —x) = (xUa)nT = xUa = livea{x). □ 



6 Conclusion 

We have presented , an intuitionistic variant of the linear-time temporal 
logic , which is capable of specifying sets of finite and infinite behaviors 
simultaneously. The intuitionistic nature of comes in handy when doing 

assume-guarantee reasoning, because special temporal operators that have been 
introduced to reason about assume-guarantee specifications are definable via 
the intuitionistic implication. Furthermore, we have given an abstract algebraic 
definition of notions of safety and liveness suitable for intuitionistic temporal 
logics. These intuitionistic notions are similar to the classical ones, yet they are 
more compatible with the logical connectives; in particular, intuitionistic liveness 
properties are closed under conjunction. The logic admits an elegant logical 
characterization of intuitionistic safety and liveness. It remains to be investigated 
whether our abstract algebraic definition of safety and liveness also applies to 
other intuitionistic temporal logics, e.g., to intuitionistic variants of CTL. 

There are a still number of unresolved questions concerning the logic 
The exact expressive power should be determined, one should give an axiomati- 
zation, and one should address decidability and complexity of the satisfiability 
and model checking problems. Whether can be considered a useful speci- 

fication language depends on the answers to these questions. 

Acknowledgment. The author thanks Viorica Sofronie-Stokkermans for the 
many intensive discussions that greatly helped to develop and clarify the ideas 
of this paper. Thanks to an anonymous reviewer for directing our attention to 
the connection between intuitionistic safety/liveness and the Scott topology on 
strings. 




Intuitionistic LTL and a New Characterization of Safety and Liveness 



309 



References 

1. Martin Abadi and Leslie Lamport. Conjoining specifications. ACM Transactions 
on Programming Languages and Systems, 17(3):507-534, 1995. 

2. Martin Abadi and Stephan Merz. An abstract account of composition. In 
20th International Symposium on Mathematical Foundations of Computer Science 
(MFCS), LNCS 969, pages 499-508. Springer, 1995. 

3. Martin Abadi and Gordon D. Plotkin. A logical view of composition. Theoretical 
Computer Seience, 114:3-30, 1993. 

4. Bowen Alpern and Fred B. Schneider. Defining liveness. Information Processing 
Letters, 21(4):181-185, 1985. 

5. Bowen Alpern and Fred B. Schneider. Recognizing safety and liveness. Distributed 
Computing, 2(3):117-126, 1987. 

6. Rowan Davies. A temporal-logic approach to binding-time analysis. In Proceedings 
of the 11th IEEE Symposium on Logic in Computer Seience (LICS), pages 184-195. 
IEEE Computer Society, 1996. 

7. Cindy Eisner, Dana Fisman, John Havlicek, Yoad Lustig, Anthony Mclsaac, and 
David Van Campenhout. Reasoning with temporal logic on truncated paths. In 
15th International Conferenee on Computer Aided Verification (CAV), LNCS 2725, 
pages 27-39. Springer, 2003. 

8. E. Allen Emerson. Temporal and modal logic. In Jan van Leeuwen, editor. Hand- 
book of Theoretical Computer Science, volume B, pages 995-1072. Elsevier, 1990. 

9. H. Peter Gumm. Another glance at the Alpern-Schneider characterization of safety 
and liveness in concurrent executions. Information Processing Letters, 47(6) : 291- 
294, 1993. 

10. Bengt Jonsson and Yih-Kuen Tsay. Assumption/guarantee specifications in linear- 
time temporal logic. Theoretical Computer Seience, 167:47-72, 1996. 

11. Leslie Lamport. Proving the correctness of multiprocess programs. IEEE Trans- 
actions on Software Engineering, 3(2): 125-143, 1977. 

12. Orna Lichtenstein, Amir Pnueli, and Lenore Zuck. The glory of the past. In Logic 
of Programs, LNGS 193, pages 196-218. Springer, 1985. 

13. Patrick Maier. A Lattice-Theoretic Framework For Circular Assume-Guarantee 
Reasoning. PhD thesis, Universitat des Saarlandes, Saarbriicken, July 2003. 

14. Patrick Maier. Intuitionistic LTL and a new characterization of safety and liveness. 
Technical Report MPI-I-2004- 2-002, Max-Planck-Institut fiir Informatik, 2004. 

15. Panagiotis Manolios and Richard Trefler. Safety and liveness in branching time. In 
Proceedings of the 16th IEEE Symposium on Logic in Computer Seience (LICS), 
pages 366-374. IEEE Computer Society, 2001. 

16. Panagiotis Manolios and Richard Trefler. A lattice-theoretic characterization of 
safety and liveness. In Proceedings of the 22nd ACM Symposium on Principles of 
Distributed Computing (PODC), pages 325-333. ACM Press, 2003. 

17. Gordon Plotkin and Colin Stirling. A framework for intuitionistic modal logics. 
In Proceedings of the 1st Conference on Theoretieal Aspects of Reasoning about 
Knowledge (TARK), pages 399-406. Morgan Kaufmann, 1986. 

18. Amir Pnueli. The temporal semantics of concurrent programs. Theoretieal Com- 
puter Scienee, 13:45-60, 1981. 

19. A. Prasad Sistla. Safety, liveness and fairness in temporal logic. Pormal Aspects 
of Computing, 6:495-511, 1994. 




Moving in a Crumbling Network: 
The Balanced Case 



Philipp Rohde 

RWTH Aachen, Informatik VII 
rohde@inf ormatik . rwth-aachen . de 



Abstract. In this paper we continue the study of ‘sabotage modal logic’ 
SML which was suggested by van Benthem. In this logic one describes the 
progression along edges of a transition graph in alternation with moves 
of a saboteur who can delete edges. A drawback of the known results on 
SML is the asymmetry of the two modalities of ‘moving’ and ‘deleting’: 
Movements are local, whereas there is a global choice for edge deletion. 
To balance the situation and to obtain a more realistic model for traffic 
and network problems, we require that also the sabotage moves (edge 
deletions) are subject to a locality condition. We show that the new 
logic, called path sabotage logic PSL, already has the same complexities 
as SML (model checking, satisfiability) and that it lacks the finite model 
property. The main effort is finding a pruned form of SML-models that 
can be enforced within PSL and giving appropriate reductions from SML 
to PSL. 

Keywords: modal logics, dynamic logics, model checking 



1 Introduction 

In the ’classical’ framework of model checking one considers movements of agents 
within a system, but the underlying structure is assumed to be static. So in many 
formalisms only properties of unchanged systems are expressible. This motivates 
a more general approach where dynamic changes of the underlying structure 
are relevant. For example, consider a computer network where connections may 
break down. Some natural questions arise for such a system: Is it possible - 
regardless of the removed connections - to interchange information between two 
designated servers? Another task of this kind arises for navigation systems: Is it 
possible to find a way between cities within a traffic network where connections 
are canceled, e.g., because of roadworks or traffic jams? 

To specify problems of this nature, van Benthem considered ‘sabotage modal 
logics’ which are modal logics over changing models (cf. [1]). He introduced a 
cross-model modality referring to submodels from which objects have been re- 
moved. SML consists of standard modal logic equipped with a ‘edge-deleting’ 
modality and is capable of expressing elementary changes of transition systems 
itself. One could express problems related to this situation by first order speci- 
fications, but then one has to put up with the high complexity of FO. So SML 
seems to be a moderate strengthening of modal logic for this kind of problems. 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 310-324, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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But in [3] and [4] we showed that the new operator already strengthens modal 
logic in such a way that all the nice algorithmic and model-theoretic proper- 
ties of modal logic get lost. In fact, from the viewpoint of complexity, SML 
much more resembles FO than modal logic: Uniform model checking for SML is 
PSPACE-complete and the satisfiability problem is undecidable. But after all, 
an advantage of SML over FO is a linear formula and a polynomial program 
complexity of model checking. 

A drawback of SML is the asymmetry of the two modalities of ‘moving’ and 
‘deleting’: Movements are local, whereas the choice for edge deletion is global. 
So SML seems to be an appropriate specification for dynamic problems like the 
traffic problem mentioned above: The canceling of connections is global and 
(almost) independent of a movement within the system. But for other dynamic 
tasks SML fails to be a realistic model, especially if the ’saboteur’ also has to 
move within the system using the same connections as the ’runner’. For example, 
a computer virus needs to use the same internet connections before it reaches 
the target that it wants to block. In this paper we introduce the path sabotage 
logic PSL to balance the situation: We require that the saboteur moves within 
the system such that exactly those edges are deleted that were taken along his 
path. Hence also the sabotage moves are subject to a locality condition. We show 
that PSL already has the same complexities as SML and that PSL also fails to 
have the finite model property. 

In Sect. 2 we repeat the definition of SML and introduce the logic PSL. 
In Sect. 3 we show that model checking for PSL is PSPACE-complete and that 
PSL has an effective formula and program complexity. To reduce the satisfiability 
problem for SML to the same problem for PSL we need a kind of normal form for 
SML-models (relative to a given SML-formula), namely pruned models. In Sect. 4 
we introduce this notion and show that every SML-model can be transformed 
into a pruned form. In Sect. 5 we show how to enforce within PSL that a model of 
a given SML-formula contains a pruned submodel together with some additional 
properties that we need for the reduction of the satisfiability problem. 

I would like to thank Christof Loding for several comments and Benedikt 
Lowe who had the idea of the path sabotage logic. 

2 Preliminaries 

In this section we repeat the definition of the sabotage modal logic SML with 
a global ‘edge-deleting’ modality and introduce the balanced version of SML 
with a ‘deleting by moving’ modality which we call path sabotage logic PSL. 
We interpret both logics over edge-labeled transition systems. For that let Prop 
be a finite set of unary predicate symbols. A transition system T is a tuple 
{S, S, R, L) with a set of states S, a finite alphabet E, a ternary transition 
relation R C S x E x S and a labeling function L : S ^ 2^"'°?. 

Let p G Prop and a G E. Formulae of the ^ ^ SML are 

inductively defined by the grammar 

p ::=T \ p\ ^ip\py if\ <)aP I 
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As usual, _L is an abbreviation for ^T. The dual modalities are defined by := 
and Ha^p := 

Let T = {S, S,R,L) be a transition system. For a set E C R we define the 
transition system T \ E := {S, E,R \ E, L). The semantics of SML relative to a 
current position s G S are inductively defined by 



(^,s) hT 
{T,s)\=p 
{T,s) \= ~^ip 
{T,s) h V V' 

\= <)aP 

(T, s) ^ 



is true, 

iff p G L{s), 

iff not (T, s) \= if, 

iff (T, s) 1= p or (T, s) |= ■(/>, 

iff there is s' G S' with (s, a, s') G R and (T, s') \= <p, 
iff there is (t, a, t') G R with (T \ {(t, a, t')}, s) |= p. 



The sabotage modality ^ has the global power to delete transitions some- 
where in the system whereas the standard modality 0 only allows of moving 
locally. To balance the situation we introduce a new sabotage modality <) such 
that deletion is combined with a movement that is independent of the one accord- 
ing to the standard modalities. Hence a current position in the system becomes 
a pair of states. The syntax of the ^ ^ is defined in the same 

way, but using the modality <)a instead of for a G E. The dual modality 0a 
is defined analogously. 

The semantics of PSL relative to a current position [s,t] for s,t G S are 
inductively defined by 



(T,s,t) hT 
(T,s,t) \=p 
(T,s,t) \= 
(T,s,t) \= ipy-ip 
(T,s,t) h OaP 
(T,S,t) ^ OaP 



is true, 

iff p G L(s), 

iff not (T, s, t) \= If, 

iff (T, s,t) 1= p or (T, s, t) ^ V', 

iff there is s' G S' with (s, a, s') G R and (T, s', t) ^ ip, 
iff there is t' G S with (t, a, t') G R and 
{T\{{t,a,t')},s,t') h P- 



Note that propositions can only be checked on paths built up by standard 
modalities. 

A measure for the complexity of an SML-formula p is the number of nested 
sabotage modalities. We call this the ^ ^ , . sd(<p) of p and define in- 

ductively 

sd(T) := sd(p) := 0, sd(<pi V P 2 ) := max{sd(pi), sd(p 2 )}, 

sd{^-ijj) := sd(OaV') := sd{ijj), sd(^a^) := sd(V’) + 1- 

The number of nested path sabotage operators of a PSL-formula p is called 
^ ^ , . pd((p) and is defined analogously. 

For a fixed a G E, the number sdo(<p) of nested modalities is defined in 
the same way, but using sda(^aV’) sdo('0) + 1 and sda(^&V') •= sda(V') for 
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5 7 ^ a. In the next section we will see that the path sabotage depth pd((/?) of a 
formula Lp is the main factor in the complexity of the model checking problem for 
PSL. But first we repeat some known results on the logic SML. The combined 
complexity of SML model checking, i.e., the complexity measured in terms of 
the size of the formula and the size of the structure, was already settled in [3]. 
The formula and program complexity of SML model checking was determined 
in [4]. 

Theorem 1. , - . , ' SML , PSPACE 

\ ' ' ' , - ^ SML , _ 

, - . ' - SML,, , , 

In [4] it was also shown that, in contrast to modal logic where each satisfiable 
formula has a finite model, this property does not hold for SML. 

Theorem 2. , , SML,, , , , , , , , • , - 

Further it was proven that the satisfiability problem for SML is undecidable. 
To be more precise: 

Theorem 3. , , , SML , 

■ , - > f , > ')' / \ ■/->(, ■ , ^ 'X, ' , , , ^ ^ 



3 Model Checking for PSL 

In this section we show that model checking for PSL is also PSPACE-complete. 
For membership we give a translation of PSL into first order logic. The com- 
pleteness is shown by a reduction of the SML model checking problem to the one 
for PSL. In the rest of the section we show that PSL has an effective formula and 
program complexity. We do that by translating the model checking problem for 
PSL into the one for standard modal logic. Some proofs are slight modifications 
of the ones for SML that are presented in [3] and [4], so we omit the details. 

By heavy use of variables one can translate PSL into first order logic. Since 
FO model checking is in PSPACE we obtain: 

Lemma 4. , , PSL,, , , ip , , ^ 

, ,, , ,, , r , . , , s,t , , T, , 

(T,s,t) ^ p r 1= p[s,t]. 

, , . 

,, PSL , , PSPACE □ 
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Next we give a reduction of SML model checking to PSL model checking. For 
an alphabet S and m > 1 let Urn := FI U {1, . . . ,m} (w.l.o.g. we assume that 
z ^ 17 for every 1 < z < m). For a transition system T = {S, S, R, L) we define 
the transition system %n ■= {S, Srn,Rm, L), where 

Rm '■= R 0 {{s,i, s') I s, s' G S' A 1 < z < m}. 

For m = 0 let F7o = F7 and Tq = T. For a given SML-formula (p over S let 
the PSL-formula over F7sd(<,3) be inductively defined as follows: (T)# := T, 
{p)* ■■= p and the operator # is homeomorphic for V, ^ and Oa- For ip = 
and z = sd(<^) let := Note that \Rm\ = \R\+m - |Sp and that |(p^| 

is polynomial in \p\. 

Lemma 5. ^ , SML ^ ^ , , , ' , ■ T , ^ - s^t £ T ^ ^ 

p*. 

^ ^ , By induction on the structure of p. Let m := sd((/?). Since the standard 
modalities in p do not speak about the symbols 1, . . . ,m, the only interesting 
case is for p = ^aV'- Let T = (S, F7, i?, L) with (T, s) \= p. Then there is 
{u,a,u') G R such that (T \ {(zz, a, zz')}, s) \= xp. Since sd{tp) = m — 1, it holds 
((T \ {(zz, a, zz')})m-i, s, u') ^ by induction. Clearly we have 

T; \ |(z;,a,z;')} = (T\ {(zi,a,z;')})„ (1) 

for any transition {v, a, v') G R and n G N. Hence (7{„_i\{(zt, a, zz')}, s, zz') |= z/>'^ 
and therefore {%n-i, s,u) ^ <)oz/’'^. Since the symbol m does not occur in z/;^, 
we can arbitrarily add m-transitions to the model without affecting the truth of 
z/;'^. So we also have m, zz)}, s, zz) |= <)az/''^. Since (t, m, zz) is a transition 

in %n we get (%n,s,t) ^ 

For the converse let p"^ = with (%n,s,t) ^ p"^. Then there are 

u,u' G S with (zz, a, zz') G R such that 

i%n \ |(i, TO, zz), (zz, a, zz')}, s, zz') ^ Ip*. 

Since the symbol m does not occur in z/># and by (1) it holds 
(('^\ {(w,a,zz')})„_i,s,zz') \=ip*. 

By induction we have (T \ {(zz, a, zz')}, s) |= ip, hence (T, s) ^ ^atp- □ 



Corollary 6. , , _ , , , , . . PSL , PSPACE , , , 

, By Lemma 4, PSL model checking is in PSPACE. As noted above the size 
of p"^ is polynomial in \p\ and the size of Tsd{ip) is polynomial in |T| and \p\. By 
the previous lemma we have a polynomial time reduction of the PSPACE-hard 
SML model checking to PSL model checking. □ 
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In the rest of the section we give a reduction of PSL model checking to the 
one for standard modal logic. For a transition system T = (S', S, R, L) we define 
the transition system T* := (S*, L*) that encodes all possible ways of 

sabotaging T : 

S^ :=S X S X 2^, := r U {a I a G S}, 

:={((s, t, E),a, {s', t, E)) \ (s, a, s') G i? \ if} U 

{((s, t, if), d, (s, t' , if')) I {t,a,t') £ R \ E A E' = E U {{t, a, i')}}, 
V^{s,t,E) ■=L{s) for each s,t £ S and E C R. 

Over this system one can simulate the sabotage operator <)„ by using an d- 
transition, i.e., by the modal operator Og. This motivates the following inductive 
definition of the ML-formula for a given PSL-formula (p: (T)* := T, (p)* := p 
and the operator o is homeomorphic for V,^ and Oa- For p = 1st •= 

Oar- 

Recall that pd(<p) denotes the depth of nested path sabotage operators of a 
PSL-formula p (cf. Sect. 2). If pd(<p) is small then we do not need the complete 
transition system to evaluate p*. So, for n G N, we define to be the 
transition system T* restricted to the states (s,t,E) with |if| < n. Note that 
= T* for n > |i?|. The proof of the following lemma is a slight modification 
of the one for SML presented in [4] . 

Lemma 7. ^ , PSL , p_ ^ ^ , , , ' , ■ E _ ^ ^ s,t £ T ^ ^ 

{T,s,t)'^p (Tp')j(^),(s,t,0)) h □ 

This reduction can be used to determine the formula complexity and the 
program complexity of PSL model checking: 

Corollary 8. , , , r PSL i . ^ 

‘ ‘y. ‘ \ ‘ ‘ ' PSL ' ^ -'y ' , 



, It is well known that the model checking problem for modal logic over 
transition systems can be solved in time C(|V’I ' I^^D) where \'ip\ is the size of the 
given ML-formula f/' and |T| is the size of the given transition system T (cf. [2]). 
Hence, by Lemma 7, we can solve the model checking problem for a PSL-formula 
p and T in time C(|p*| • l"^}j(,p)l)- From the definition of p* we get |(/?*| = \p\. 

1. For a fixed transition system T we can estimate the size of by 

|7}((j(^)| G 0(|Tp • 2E\). Hence the formula complexity is in 0{\p\). 

2. Since the number of subsets E C R with \E\ < pd(p) is in 0 (|T|p'^^‘^)) 

we get ^ 0(|T|P'^(‘^^+^). So the model checking complexity with a fixed 

PSL-formula p is polynomial in |T|. □ 
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4 Pruned SML-Models 



In the last section we gave a reduction of the model checking problem for SML 
to the one for PSL. For a reduction of the satisfiability problem we need a 
more sophisticated approach. In this section we show that each model of a given 
SML-formula tp can be pruned such that it consists only of those states that 
are reachable from the initial state by the standard modalities in p together 
with a bounded number of additional states (we call it a , - > > 

p). We define the pruned form of a model in two steps. In the next section 
we show how to enforce within PSL that a model of a given SML-formula p 
contains a pruned submodel (relative to p) where each two states are connected 
by z-transitions for 1 < z < sd((/?) and such that one cannot escape the pruned 
submodel by using the modalities of p. Then we can use the same argument as 
before to translate SML-modalities into PSL-modalities. 

Let p be an SML-formula over E. We define inductively the set of path labels 
Ftp C S* corresponding to the standard modalities in p: 



Pp-.= 



{4 


if p 


Ppi U Pp2 


if p 


P-lP 


if p 


{e} U {a • zr 


zr G Py,} if p 



T or p = p, 

Pi V P2, 

-.z/) or (/? = 

OaV”- 



For T = (S,E,R,L) and s G T let := (Sp^s,E,Rp^s,L\s^ „) be the 
transition system restricted to paths in Pp starting in s: 

Sp,s '■= {t \ t € S and there is a zr-path from s to t in T for some zr G Pp}, 
Rip,s ■= {(f, a, t') I (t, a, t') G R and there is a zr-path from s to t in T 
for some zr G Pp, such that zr • a G Pp}. 



Note that, if (T, s) |= p, then Tp^g does not need to be a model of p. There 
may be ‘dummy’ transitions in T that have to be deleted to satisfy p, but which 
are not reachable by the standard modalities of p. 

I , , , Consider the formula p := OaT A ^aClaT A ^a^aT. The following 

transition system (T, s) is a model of p: 



Since Pp = {e, a} the transition system Tp^g consists only of the states s, s' 
and the transition (s, a, s'). Since we cannot delete two different a-transitions, it 
fails to be a model of p. 

But in fact, the exact position of a ‘dummy’ transition in T is irrelevant, 
hence we can equip Tp^g with these transitions in a canonical way. Further we can 
bound the number of these transitions: One only needs sda(v?) many additional 
a-transitions for each a € E, where sdo(v5) is the depth of nested in P (cf. 
Sect. 2). We show this in the rest of the section. 
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For two sets R and R! of transitions with R' C R and o G if let diffa(i?, R') ■= 
\R\R' D S X {a} X S'! G N U {oo}. Let ^ G N be the minimum of sdo(<p) and 
the number of a-transitions in T that are not present in %p^s' 

■= ™in{sda((p),diffa(i?,i?^,s)}- 

The ^ of SML-model T relative to and s is defined by 

■= where 

5 ;,, := U {s“ I a e A 1 < z < J, 

%,S ■= Rv,s U {(s“, a,s)|aGL'Al<z< J. 



I , , For the formula p and the model T of Example 9 the transition 

system is 



Theorem 11. ^ . SML,^ , , p, ® ^ 



s) h T’ s) h V- 

^ ^ , By induction on the structure of p. For the atomic cases p = T and 
p = p we have = {e} and zt“ ^ = 0 for every a G S. Hence 5**^^ = {s} and 
(T, s) is a model of p iff s) is a model of p. By induction and the fact that 
= T*^^s the case p = -'tp is also clear. 



p = ipy X 



/XT'* \* 

\'^ i^^s) Ip 



//T-* \* XT-* 

V c^.s / y.s y, 



. ( ‘ , / ■ ) symmetry it is enough to show the first statement. Since 
Pi/j C it is easy to see that S^p^s Q. and Rp^^s PL Rtp,s- Since the additional 
states sf in do not belong to h follows {Tps)^,s — %p,s- Hence it suffices 
to show that the same number of additional states sf is added to both models, 
for each a G S. For that let a G P and A“ be the number of states s“ in {Tpa)% s' 



A“ := min{sda(z/’),diffa(P*,s,PV’.s)}- 



Case 1: sda(<A) < diffa(P, P^,s). Since (s“,a, s) G P* „ \ R^^s C \ Rp,^s for 
every 1 < z < we have 



diffa(P*_^,PV'.s) > = sda(T’) > sda(V’), 

hence A“ = sda(V')- On the other hand, since C R^^g we have 



sda(V') < sda((A) < diffo(P,P<^.s) < diffo(P,i?V'.s)> 



hence = sdo(V'), i-e., = A“. 

Case 2: sda((/?) > diffa(P, P(^,s). Then there is exactly one a-transition in P* ^ 
for each a-transition in R and vice versa. Since Rp^g C R and Rp,^g C R^ g we 
therefore get diffa(P^_ 5 , P^,s) = diffo(P, ^'^d hence 

K^^g = min{sda(z/’),diffa(P,Pv’.s)} = 

In both cases the same number of states sf together with transitions {sf, a, s) 
is added for each a G S. Hence we get {'Rps)% g — '^ps- 'd 
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Now we are ready to show the induction step for (p = ip \/ x- We have 



{T,s)\=<p 

(T, s) h V' or (T, s) 1= X 

s) h V' or (T^%, s) h X 

h V' or h X 

ix^,s, s) h V' or (T^%, s) h X 

h<P- 



= OaV' , - t € S' (s,a,t) G R 



by induction 
by Claim 1 
by induction 



fn~* ~ -o"* 



^ ^ , ( , , , , ) If there is a 7r-path from t to z; in T for some tt G P^, then 
there is an a • zr-path from s to v and a ■ tt G Pip by definition of Pp. Hence 
Sy,,t C Sp^s- Analogously we have C Rp^s- So — %p,t and it suffices 

to show that the same number of additional states sj for 6 G A is added to 
both models. Using the fact that sdf,((^) = sdb{tp) for every b G S, the proof is 
almost the same as for the previous claim (using R^^t and ^ instead of i?^,s 
and J. □ 



Let ip = OaV'- Since e G P^ we have a G Pp. By definition of there is no 
a-transition from s to some s^, b G S. Hence 



t G S A (s,a,t) G R 



t G Sp^s A (s, G., t) G RpyS 
tGS*p^,A{s,a,t)GR*p^,. 



Therefore it holds 



(2) 



s) h 

(s,a,t) G RA (P,t) \= ^p 

{s,a,t) G RA 1= tp 

(s, a,t) G RA ((T^* t)\=-ip 

(s,a,t) G RA h Ip 

3t G S;_, : (s,a,t) G R*p^, A h ^ 



at t o 

3tGS 
3tGS 
3tG S 



by induction 
by Claim 2 
by induction 

by (2) 



ip = ^a-ip 

. t,t' G Sp g (t, a, t') G Rp s u,u' G S {u, a, u') G 

R, iV,s - {T\{{u,a,u')})lg 

^ f u,u' G S {u,a,u') G R t,t' G S* ^ G 

Rtpis , \ - ('^\ {(w,a,M')})v-,« 



, , . (, • , > ■ ) definition it holds Pp = P^ and therefore Sp^s = S.)p^s and 

'ip.S Rtp.S. 
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1. Case I: If {t,a,t') S R^p^s then also {t,a,t') G R and we set u := t and 
u' := t' . First we show 

\ {(t. a, - (^ \ {(w, a, (3) 

Let S'! and S '2 be the state sets of the left hand side, resp., right hand side and 
let i?i, i ?2 be the corresponding transition relations. It suffices to show S\ = S 2 
and i?i = i? 2 - It holds G S'! iff there is a rr-path from s to in \ {(t, a, t')} 
for some tt G P^, i.e., there is a sequence p = (vq, ao,vi), . . . , (vn-i, an-i, Vn) 
with Vo = s, Vn = V, (vi,Ui,Vi^i) G R^ g \ {{t,a,t')} for every i < n and 
oo • • • a„_i G Pp. Since none of the additional states s^, b G S has an incoming 
transition it holds Vi G for every i < n and (wj, Oj, Vi+i) G Rip^s\{{t, a, F)} for 
every i < n. By definition we also have Vi G S for every i < n and (wj, Uj, fi+i) G 
R\{{t, a, t')} for every i < n. Hence p is also a 7r-path from s to v in T\{(t, a, t')} 
and therefore u G S' 2 . 

On the other hand, let v G S 2 and p be a rr-path from s to w in T\ {(t, a, F)} 
for TT G Pp as above. Then p[0, z] is a 7 t[ 0, z]-path from s to Vi with 7 t[ 0, z] G P^ for 
every i < n. Hence Vi G Sip^g for every i < n, (vi, Ui, fj+i) G R^^s \ {(C a, t')} for 
every i < n and p is a zr-path from s to w in 7^ ^ \ {(t, a, t')} C \ {(t, a, t')}, 
i.e., z; G Si and therefore Si = S 2 . Ri = R 2 is shown analogously. 

Next we show that the same number of additional states sj is added to both 
models in (3), for every b G S. If sdb((p) > diffh(i?, then the set of b- 

transitions in S* ^ has the same cardinality as the set of 6-transitions in R. 
Since R\ = R 2 we therefore get 

s \ {(t, a, t')}, Ri) = diffh(i? \ {(t, a, t')}, R 2 ). 

If sd{,((p) < diff{,(i?, then the number of additional states sj in T*^g is 

equal to sdh(p) and there are just as many 6-transitions in \ R^^s- Since 
Ri C Rip^e, sda((p) = sda(V') + 1 and sdh(p) = sdb{ilj) for b ^ a it holds 

diff b{R \ {{t, a, t')}, R 2 ) > diffbiRp^s \ {(t, Ri) > sdh(p) > sdb{tp). 

Therefore the number of additional states sf in both models is equal to sdb{tp). 

Case II: If = (s“,a, s) for some 1 < z < then by definition, 

there are u,u' G R with {u,a,u') G R \ With the notation as before it 
is easy to see that S'! = S '2 = S^^g and R\ = R 2 = R^p^s, hence (3) is also 
true for this case. If 6 yf a then min{sdf,(z/’), diff g \ {(s“, a, s)}, i?i)} = 
min{sd6((p),diffb(i?*_^,i?,^,s)} = min{sdf,(p), On the other hand, 

min{sd{,(z/>),difff,(i?\ {{u,a,u')}, R 2 )} = min{sdf,(p), diff&(i?, 

For 6 = a it holds min{sda(V ')5 diffo(i?* ^ \ {(s“, a, s)}, i?i)} = min{sda((p) — 
1 ,k“ ^,-1} = and min{sdo(z/’), diffa(S\ {(zz, a, zz')}, S 2 )} = min{sda(<p), 

diff(j(i?, — 1 = ~ 1 (note that {u,a,u') ^ S 2 ). So in both cases the 

number of additional states is the same. 

2. If {u,a,u') G Rp^s C R then we set t := u and t' := u' and the proof 

is exactly the same as for Case I above. Now let {u,a,u') G R \ Rp,^g. Since 
sda(v3) > 1 we have > 1 and there is sj G S*^g \ Sp^g with (s“ , a, s) G R'^^g- 
Then we set t := sf and t' := s and repeat the proof of Case II above. □ 
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By using Claim 3 we are able to prove the last induction step. For that let 
ip = ^atp- Then 



(T, s) '^p 

3m, u € S : (u, a, u) G R A (T \ {(m, a, u^)}, s) \= ip 

3m, u' G S : (m, a, u') G R A ((T \ {(m, a, u')})^ g, s) \= ip by ind. 

3t, t' G : {t, a, t') G i?* ^ ((X^,s \ {(^> a, s) h V' by Cl. 3 

3t, t' G : {t, a, t') G i?* A \ {(t, a, t')}> «) h V' by ind. 
h<A- 

This concludes the proof of the theorem. □ 



5 Finite Model Property and Satisfiability for PSL 

In this section we present five PSL-formulae (a^, and Q). Together 

they ensure that a model of an SML-formula p contains a pruned submodel 
(relative to p) such that each two states of the submodel are connected by i- 
transitions for 1 < t < sd(i^). Further one cannot escape the submodel either 
by using the standard modalities or by using the sabotage modalities of p. For 
technical reasons we additionally use the symbol 0 as a kind of anchor: Deletion 
of 0-transitions allow us to mark and identify states. Then we are ready to 
show the main results of the paper: PSL lacks the finite model property and the 
satisfiability problem for PSL is undecidable. 

Let p be an SML-formula over S and let Pip be as in the last section. We 
assume that if n {0, . . . ,sd(i^)} = 0. For a transition system T = {S, S' , R, L) 
with S C S' and s G S' let Sp^s C S be defined as before. For a language ACS* 
the modal operator is defined by 

<>A'tp-= \f 0ai"'0a„V'- 
0^1 ■ ^ -A 

The operator Da is defined analogously. Note that Og = T and (){s}ip = ip. 
In the sequel let Sm := L' U {0, . . . , m} and T = (S, Sm,R, L) be a transition 
system over Sm- The PSL-formula Oj over Sm is defined by 

Oii := OqT a <^oDo-L a □p^(OoT A <)i<)ono-L). 



Lemma 12. , (T,s,t) \= on, , ® ^ ^ u G Sp^s 

(s,i,u) G R ^ - u ^ I p ^ ^ 0 ^ ^ ^ ^ ^ , , (s,i, s) G R 

^ ^ , It is easy to see that the first two terms imply s = t. If the current 
position is [s, s], then the last term says that for every u G Sp^s it holds: u has 
a 0-successor (by OqT) and there is a sabotage path (s, i, m), (m, 0, m;) such that 
M has no 0-successor anymore. Hence it must be m = m and there is only one 
0-successor of m. □ 
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For a € S the PSL-formula ^ over is inductively defined by 
/3o“i := □.(□a^VOoOp^Do^), 

Pk+l,i •= <)i(<)onp^OoT A <)aT A □x'\{a}_L A Ho(<)onO-L A Pk,i))- 

Lemma 13. , (T,s,t) \= ai t\ j ^ , 

, G S', ,, ’ l<j <k 

s“ gS\S^,s. , 0 _ , (s,t,s“) G R 

(s“,a, s)Gi? , - . (s|,a,p) G -R,, ,,, p G S, , v = s, 

s“ , be E, bp= a 

, , , - ■ ' , G S \ S^,s (s, i,v) G R , - (p, a, s) G R, 

, ^ = >, , , . 1 < J < Sj ^ A“i ^ 7^ k 

, , , By induction on fc. By the previous lemma ai implies s = t, so the current 
position is [s, s]. For k = 0 assume that there is v G S with (s,i,v) G R and 
(v,a,s) G R. If (s,i,v) is removed and the current position becomes [s,p] then, 
since v has an a-successor, the second disjunct of Pq^ must be true. This means 
that there is an outgoing 0-transition of v and, if it is removed, there is a 7r-path 
from s to some m G S for tt G such that u has no 0-successor. But by Oj 
every such u has a 0-successor in the initial model, hence it must be u = p and 
therefore p G S^p^s■ 

For the induction step we assume that the statement holds for k. If the 
current position is [s, s] then the first conjunct of Plij^i j implies that there are 
u,v G S and a sabotage path (s, i, u), (u, 0, v) such that every w G S^p^s still has a 
0-successor. Hence u ^ S^^s- If the current position is [s, u], the second and third 
conjunct say that u has an a-successor and no 6-successor for b a. The last 
term forces that for every a-successor p of u, if the current position is [s, p], then 
there is (p, 0,w) G R for some w G S and, if this transition is removed, s has no 0- 
successor anymore. But by ai state s has an initial 0-successor, therefore it must 
be p = s. The current position becomes [s, s] again and by induction ^ implies 
the existence of s“, . . . , with the stated properties. Since the transition (s, i, u) 
was removed we have u yf s“ for every 1 < j < fc. Hence we can set = u. 

Assume that there is p G S\S^^s and there are (s, i,v) G R and (p, a, s) G R. 
If M yf p then both transitions were not deleted until the current position becomes 
[s, s] again. By induction, ^ implies w = s“ for some 1 < j < k. □ 

Let 7i be the following PSL-formula over Em- 

li '■= Hi(<)oOp,^no-L V <)i;<)ono-L) A Dp,^ni;(OoT A <)p,^<)ono-L) • 



Lemma 14. fca G N ,, a G A , 



l<j<ka , r , 






(7”, S,t) \= ai A yy Pka,i ^ Ai- 
aes 

V , . s, V G , '^ = s'j 

, , A, ,,, 



aG E 



S 



(/?,S 
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^ ^ , By Lemma 12 the current position is [s, s] and every state u G S^p^s has 
exactly one 0-successor. By removing (s, i, v) one reaches position [s, v\. The first 
disjunct in the first brackets of ji is satisfied if and only if u G S^^s- If u G S\Sip^s 
then, by the second disjunct, there is a sabotage path (v,a,w), (w,0,w') for 
some a G S such that s has no 0-successor anymore. Hence w = s and there is 
(v, a, s) G R. By Lemma 13 we have v = Sj for some 1 < j < ha- 
llow let u G and v G S with (u, a,v) G R for some a G 27. By the second 

conjunct of ji, v has a 0-successor and for some tt G P<^, there is a sabotage 
TT-path from s to some w G S^p^s such that, if the path is extended to some 0- 
successor of w, then v has no 0-successor anymore. Hence v = w and v belongs 
to n 

Let Si be the following PSL-formula over Em 

Si := □iDi(OoT A <)i<)ono-L) A □^□^(OoT A <)i<)ono-L)- 

Lemma 15. , (T,s,s) \= Si, ^ 

, (s,i,u) G R ^ - (s,i,v) G R u ^ V G S , ^ ^ {u,i,v) G R 

, (s,i,u) G R ^ - (u,i,v) G R u,v G S, ^ ^ (s,i,v) G R 

1. Let u,v G S, u ^ V with {s,i,u) G R and (s,i,v) G R. By the 

first conjunct of Si, starting from position [s, s] and removing the transition 
(s,i,u) the current position becomes [s,m]. Since (s,i,v) is still available we 
can reach position [v,u\. Then v has a 0-successor and there is a sabotage path 
{u,i,w),{w,Q,w') such that v has no 0-successor anymore. Hence v = w, i.e., 
there is {u, i, v) G R. 

2. Let u,v G S with (s, i,u) G R and (u, i, v) G R. By the second conjunct we 
can reach position [u, s] from the initial position [s, s] and v has a 0-successor. 
Further there is a sabotage path (s, i, w), {w, 0, w') such that v has no 0-successor 
anymore. Hence w = v, i.e., there is (s,i,v) G R. □ 

Let Q be the following PSL-formula over Em- 

Ci •= ni(OoT A (<)ono-L V <)i(<)onoT a <)i<)onoT))) . 



Lemma 16. , (T, s, s) ^ C*. , > u G S G R ^ 

{u,i,u) G R ^ - u ^ I ^ ^ 0 ^ ^ ^ ^ 

^ ^ , Let the initial position be [s, s] and let m G S' with (s,i,u) G R. If the 
position becomes [u, s], then u has a 0-successor by the first conjunct of Q. The 
first disjunct is true if and only if u = s and s has a single 0-successor. In this case 
we have (s, i,s) G R by the assumption. If u yf s, then the second disjunct must 
be satisfied. To satisfy <)ono-L state u can only have a single 0-successor and 
one has to remove the transition (s, i, u) such that the current position becomes 
[u, u]. But then one has to use (and remove) an f-transition leading back to u to 
satisfy the last term, i.e., there must be (u,i,u) G R. □ 
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Now let m := sd((/?) and let be the PSL-formula as defined in Sect. 3. Let 
be the following PSL-formula over Sm- 

m m sda((/?) m 

f\ \J f\ Pk,i ^ ■ 

i—1 n—1 a^U k—0 i—1 

The additional term ensures together with Q that, if (s,i,u) G R for some 
u G S and 1 < t < m then there is also (s,j,u) G R for every 1 < j < m with 
j yf i. In particular, the additional states s“ due to /3^ ^ are identical with the 
ones given by /3g „ for n yf i. 

For T = (S', S, R, L) and s G S let S* L*^^s) be defined as 

in Sect. 4. The transition system 7^ ^ is defined by := (S*^^, Lfm, , L* 
where 

:= R*ip,s U {(m, 0, m) \ uG S* g} U {(m, i,v) \u,v G S*^g A 1 < i < m}. 
Theorem 17. (p . ^ SML,^ ■ > , ^ , ‘fi , , , > , 

^ ^ , Let T = (S, if, R, L) and s G S with (T, s) \= p. By Theorem 11 it holds 
{T*g,s) ^ (f. Since the symbol 0 does not occur in pP the same argument as 
for Lemma 5 shows that (7(|g,s,t) |= for any t G S. On the other hand, it 
is easy to check that {T^^g,s,s) satisfies Oj, 6i and for every 1 < i < m 
and that for any a G S, there is exactly one k with 0 < fc < sda(</?) (namely 
g), such that is true for every 1 < t < m. Hence (7(J g, s, s) |= i.e., 

is satisfiable and if T is a finite model of p, then is a finite model of (p^ . 

For the converse let T = (S', Sm, R, L) and s,t G S such that (T, s, t) \= ■ 

By Lemma 12 it holds s = t. By Lemma 13 there is exactly one ka for every 
a G S with 0 < ka < sdo(<^) such that ^ is satisfied. Let C S be as 
before and let S' C S be defined by 

S' ■■= S^^g U {s“ I a G 27 A 1 < j < ka}, 

where the s“’s in S \ S,^,^ are according to Lemma 13. Note that we have 
(s, i, Sj) G R for every 1 < t < m by the additional term in p'^. Each s“ has a sin- 
gle outgoing Fl-transition which is labeled by a and leads to s. By Lemmata 12, 
13, 16, there is (s,i,u) G R for every u G S' and u has exactly one 0-successor. 
Since only the existence of 0-successors is used in all subformulae, but none of 
these transitions is actually traversed, we can assume that all 0-transitions oc- 
cur as loops, i.e., there is (u, 0,u) G R for every u G S' and (u, 0,u) ^ R for 
u,v G S',u ^ V. Further, there is {u, i,v) G R for every u,v G S' (by Lemma 15, 
if M yf u and by Lemma 16, if u = w). Let u G S' and v G S with (u, i, v) G R. 
Since there is (s, i, u) G R, there is also (s, i,v) G R by Lemma 15. By Lemma 14 
it follows V G S', i.e., one cannot escape S' by using t-transitions. On the other 
hand, again by Lemma 14, one cannot escape S,^^s by using Fl-transitions. In 
other words, using any modality in p'^ - either a standard or a sabotage one - 
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one stays in S' . It is easy to see that we can therefore restrict T to the states in 
S', i.e., for the transition system T' := (S', R(^ S' x Em x S', L\s ) it also 

holds (T', s, s) \= ■ In particular, (T', s, s) is a model of with i-transitions 

between any two states. Let T" be the restriction of T' to the alphabet E. Since 
the symbol 0 does not occur in and by the same argument as for Lemma 5 
we get {T",s) ^ <p, i.e., p is satisfiable. Further, if T is a finite model of 
then T" is a finite model of p. □ 

Now we are ready to transfer the results on SML to PSL. By using the 
reduction ip together with Theorem 2 and Theorem 3 we get 

Corollary 18. . PSL , , , , , , 

^ ^ ^ ^ , Satisfiability, Finite Satisfiability, ^ . Infinity Axiom, ^ PSL 



6 Conclusion 

We have considered the path sabotage logic PSL which is a balanced version of 
SML. Both logics are extensions of modal logic that are capable of describing 
elementary changes of structures. We have shown that the model checking com- 
plexity for the logic PSL with a localized sabotage modality is as hard as for 
SML that has a global ’edge-deleting’ modality. Also the satisfiability problem 
stays undecidable. In fact, from the viewpoint of complexity, both logics much 
more resemble first-order logic than modal logic, except for a linear formula and 
a polynomial program complexity. 

There are other restrictions to the global power of the sabotage operator, for 
example the localized version of SML where only those edges can be deleted that 
start at the current position within the system. Interpreting the modalities as 
movements of the agents ‘runner’ and ‘saboteur’ in a crumbling network, this 
localized sabotage logic corresponds to the situation that the saboteur can only 
block adjacent nodes and that the runner gives the saboteur a ‘pickaback’ while 
moving in the network. An argument (to be presented elsewhere) which resembles 
the proofs above shows that the complexities stay the same: Uniform model 
checking is PSPACE-complete and the satisfiability problem is undecidable. 
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Abstract. The Parameterized Model Checking Problem (PMCP) is to decide 
whether a temporal property holds for a uniform family of systems, U”, com- 
prised of finite, but arbitrarily many, copies of a template process U. Unfortu- 
nately, it is undecidable in general [3]. In this paper, we consider the PMCP for 
systems comprised of processes arranged in a ring that communicate by passing 
messages via tokens whose values can be updated at most a bounded number 
of times. Correctness properties are expressed using the stuttering-insensitive 
linear time logic LTL\X. For bidirectional rings we show how to reduce rea- 
soning about rings with an arbitrary number of processes to rings with up to 
a certain finite cutoff number of processes. This immediately yields decidabil- 
ity of the PMCP at hand. We go on to show that for unidirectional rings small 
cutoffs can be achieved, making the decision procedure provably efficient. As 
example applications, we consider protocols for the leader election problem. 



1 Introduction 

The Parameterized Model Checking Problem (PMCP) is to decide whether a temporal 
property holds for a uniform family of systems 17" comprised of finite, but arbitrarily 
many, copies of a template process U. Unfortunately, PMCP is undecidable because a 
system of size n can simulate a Turing machine for n steps [3]. The Halting problem 
for Turing Machines can then be easily formulated as a PMCP for reachability of the 
halting state, viz., EVhalt. This argument can be refined even in the case where the 
parameterized system is a unidirectional ring [17]. It follows from a result by Shan- 
non [16] that the undecidability result holds even when the head (token circulating in 
the ring) can have only two possible states [16]. An essential part of the undecidabil- 
ity proof of the latter is that the message token changes value an arbitrary number of 
times. 

We show in this paper that if there is a bound b on the number of times the token 
changes value during a run of the system, then the PMCP is decidable. This boundedness 
assumption can be justified by the fact that protocols for a number of ring based appli- 
cations have the property that the value of each message bearing token can be changed 
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only a bounded number of times in any run of the protocol. For instance, in standard 
protocols for the leader election problem [15], every token makes at most one value 
change during any run of each of the protocols. 

We express correctness properties using the stuttering-insensitive linear temporal 
logic LTL\X. The basic assertions are of the form Aft,, or Eft, where formula ft is huilt 
using F “sometimes”, G “always”, U “until” but without X “next-time”; and A “for 
all futures” and E “for some future” are the usual path quantifiers. Use of stuttering- 
insensitive logics is natural when model checking parameterized systems as the next- 
time operator X gives us the ability to count, often leading to undecidability of the PMCP 
[10]. 

In the case of unidirectional (or certain restricted bidirectional) rings, we argue that 
arbitrarily “large" systems of size n can be imitated up to stuttering by a small system of a 
certain cutoff size c, where c = 0(ft). Thus to solve PMCP, checking correctness over all 
sizes n, it is necessary and sufficient to check all sizes m up to c. In the context of rings, 
this style of “cutoff argument has been used in [1 1], where it was shown how to reduce 
reasoning about properties expressed using the branching time temporal logic CTL*\X 
from a system with an arbitrary number of processes to systems with up to a small cutoff 
number of processes. However, the results were established only for unidirectional rings 
where the token could not carry values, viz., processes could not exchange messages 
among themselves, resulting in a framework with limited modeling power. For example, 
it is not clear how standard protocols for the Leader Election problem (see, for example, 
[15]) that require tokens to change values, viz., messages to be exchanged, can be encoded 
in this framework. Our unidirectional ring framework has a broader modeling power but 
with an efficiently decidable PMCP. 

The case of bidirectional rings is more involved. Here we hnd it convenient to ex- 
ploit the viewpoint that a ring of many (n) similar processes is tantamount to a Turing 
machine on a circular tape (CTM for short) with n tape cells. To see this, we note that 
a token in a ring can be viewed as the head of the CTM, with the value of the token 
representing the control state of the head. Cell i of the circular tape corresponds to P^, 
the ith process in the ring, with the tape symbol in cell i representing the local state of 
Pi. This, in effect, reduces the PMCP for bidirectional rings in which the token makes 
only a bounded number of value changes to the study of the PMCP for CTMs in which 
the head only makes a bounded number of state changes. To analyze the behavior of 
CTMs we in turn study (Linear Tape) Turing Machines with bounded state changes 
to the head. For an arbitrary Turing machine, the associated PMCP again amounts to 
the halting problem and is undecidable. However, we demonstrate that for a Turing 
machine that can make at most a bounded number ft of state changes, the halting prob- 
lem is decidable, and, hence for the associated ring system where token values change 
at most b times, the PMCP is decidable. The latter result is established by induction 
on ft. The base case 6=1 represents a Turing machine with a single (non-halting) 
state. 

The rest of the paper is organized as follows. The unidirectional (or restricted bidi- 
rectional) ring model is introduced and the related cutoff results shown in section 2 while 
the cutoff results for bidirectional rings are given in section 3. Applications are handled 
in section 4 and we conclude with some remarks in section 5. 
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2 Unidirectional Rings 

Communication in computer networks is usually carried out via message passing using 
packets or value-bearing tokens in which the sender puts the data and the address of the 
intended receiver. However, apart from data transfer, tokens also play a crucial role in 
the implementation of network protocols. In a typical network protocol, a process sends 
out a token owned by it to gather information about other processes in the network. In 
leader election [15], for example, a process sends out a token hearing its identifier to find 
out whether there exists another process with an identifier of greater value. In this role 
tokens play a passive role in that they do not cause any state change in processes other 
than the ones owning it but are used merely for information gathering. A key reason 
for this might he that most protocols are data independent. In this section, we propose 
a simple framework to model such protocols and show how to reduce reasoning about 
linear time properties for such a system with an arbitrary number of processes to one 
with a few. 

The Process Framework. We consider systems comprised of processes arranged in the 
form of a ring communicating using multiple message-bearing tokens, each of whose 
value can be modified at most a bounded number of times (see remark 2 . 2 ), say b. 
All tokens move in the same direction, say clockwise. In a ring TZ comprised of the n 
processes Pq, Pn-i listed in clockwise order of occurrence around the ring, the ith 
process, Pi, is given by a tuple of the form (Qj, Ti, Ri, i^), where Qi is the finite 
set of states of Pi, Si the set of labels of Pi, R the set of tokens owned by Pi, Ri its 
transition relation and the initial state. Let T = UiT^. Each token in T can take on 
values from the set V. In any global state of the ring, a token is in the possession of 
exactly one process. A process may, however, possess multiple tokens. 

Transitions of Pi can be classified as either internal or token dependent. An internal 
transition of Pi is of the general form a — ^ b, and can always be fired irrespective of the 
current global state of the system. A token dependent transition of process Pi, on the other 

hand, is of the general form tr : a — > b, where g : V ^ {true, false} is a boolean 
valued function and action A is either the expression skip or of the form t := v. Token 
dependent transition tr can be fired only if P possesses a token t from the subset C T 
with a value that enables guard 5 . We then say that transition tr involves token t. After tr is 
fired, process Pi transits to local state b and t is passed on to the clockwise neighbor. If ac- 
tion A is the expression skip, then the token is simply passed on with its value unchanged, 
else if A is the expression t := v, then the token is passed with its value updated to v. 

For each token dependent transition tr of process Pi, the set Ttr is either Tj or T \ T^. 
If Ttr = Ti, viz., tr involves tokens owned by it, then tr is termed an endogenous token 
dependent transition, else if Ttr = T \ Tj, viz., tr involves tokens not owned by it, then 
tr is termed an exogenous token dependent transition. Exogenous transitions of process 
Pi can be thought of as constituting the communication layer of Pi responsible for 
handling tokens owned by other processes but causing no change in the local state of Pi. 
On executing an exogenous transition involving token t, it is passed on to the clockwise 
neighbor with a possible change in the value of t but without changing the local state 

of Pi. Thus every exogenous transition is of the general form a a. We assume 




328 



E.A. Emerson and V. Kahlon 



that the action A of exogenous transitions is oblivious of the current local state of Pi 

l-g 

and depends only on the value of the token. Thus if a — > a is a exogenous transition, 

then for each b G Qi, there exists an exogenous transition in Ri of the form b — > b. 
To prevent a process from indefinitely taking possession of a token not owned by it, we 
assnme that from any local state of Pi, for any possible value of f ^ R, there always 
exists an exogenous transition of Pi that is enabled. We use TZ = (S'”, , i?", i"), 

to denote the ring comprised of the n processes Pq, ■■■, Pn-i executing asynchrononsly 
with interleaving semantics and is defined in the usnal way. 

Reduction Result. We show a one way reduction for properties of the form Ah{i,j), 
where h{i,j) is a LTL\X formula with atomic propositions over the local states of 
processes Pi and Pj, from a ring TZ of arbitrary size comprised of possibly distinct 
non-isomorphic processes to a ring of size at most b(|Ti| + \Tj\), where b is the bonnd 
on the nnmber of times the value of each token of TZ can be modified. We assnme fhat 
each process Pi of TZ is deterministic, viz., for every local state a of Pi, the following 
conditions hold 

(i) for every possible value of a token not owned by Pi, there is a uniqne exogenous 
transition of Pi from a that is enabled, and 

(ii) there is either an internal transition or for every possible value of token t G Tj, a 
uniqne endogenons transition that is enabled from a, but not both. 

Using the fact that exogenons transitions are state oblivious and the deterministic 
natnre of processes it can be shown that P{t) is independent of the global compntation 
TZ executes. Thus we have the following. 

Lemma 2.0. P{t) is well-defined. 

ForsetT oftokens, weletP(T) denote P{t).LetPi andPj be processes belonging 
to ring TZ. We let TZ{i, j) denote the ring comprised of the processes {Pi, Pj }UP(TpJU 
P{Tp. ) occnrring in the same relative clockwise order as along TZ. 

Proposition 2.1 (Reduction Result). Let TZ be a ring with processes Pi and Pj. Then 
TZ 1= EL(z,_)) implies that TZ{i, j) ^ Eh{i,j), where h{i, j) is a LTL\X formula over 
the local states of Pi and Pj. 

Proof Idea. Given a computation x of TZ, we construct a computation y of R{i,j) such 
that x[i, j], viz., x projected onto processes Pi and Pj, is a stuttering of y[i,j]. □ 

Remark 2.2 (Boundedness). In general, the number of value changes for tokens of a 
given ring might not be bounded and hence the above result may not yield any rednction. 
Flowever, for special cases we can deduce from merely a static analysis of the syntax 
of the processes that each token undergoes only a bonnded nnmber of valne changes. 
One such useful case results by treating each token t as essentially a counter with an 
integer valne which decreases each time t is updated. This gives rise to a ring model 
where we have integer-valued tokens such that for each local state a of a process the 
token dependent transitions from a involving t are of the form a 5 ^ where 

c > d, and a ’’ f , Thus token t can be thought of as a counter that is set 
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initially and each time a token dependent transition modifies the value of t there is a 
decrease in its value. Once t is modified by a transition of the form tr : a ^ 

of process Pk, then the next token dependent transition to modify the value of t is the 

next transition of the form tr' : a' ^ where c' < d, that is encountered as 

we traverse the ring in a clockwise direction from process Pk. This transition is either an 
exogenous transition of a process other than Pj (which is the same for each local state 
of the process) or an endogenous transition from the current local state of Pi. We call 
such a pair of transitions ‘adjacent’. Thus the maximum number of times the value of 
t can be updated is the maximal length of a sequence of adjacent transitions. For the 
LCR protocol (section 4), the maximum length of such a sequence for each token is 1. 

Extensions. The results also hold for the following two extensions of our model. 

(a) Adding FIFO Queues. Queues may be necessary to ensure that tokens sent to 
a process are handled in the order received. This guarantees weak and strong fairness 
requirements are met for the verification of liveness properties. 

(b) Restricted Bidirectional Tokens. The model can also be generalized by allowing 
restricted bidirectional tokens where instead of always moving in a fixed clockwise 
direction we can allow a token to be able to change direction when it is assigned a new 
value. For a fixed value, however, the token always moves in the same direction. 

3 Bidirectional Rings 

We present a generalization of the unidirectional ring model proposed in [ 1 1 ] by allowing 
(a) bidirectional rings, and (b) the token to carry values. We consider systems comprised 
of finite, but arbitrarily many, copies of a single process template P arranged in the form 
of a ring executing concurrently, viz., with interleaving semantics. We only consider 
the case where processes communicate using a solitary token t that is allowed to carry 
values. Template process P has two types of transitions: (1) token dependent that require 
P to possess t in order to fire, and (2) internal that can be fired irrespective of whether P 
possesses t or not. In addition, P uses transitions labeled with the receive action to take 
possession of t from its counterclockwise neighbor and transitions labeled with send 
actions to relinquish possession of t to its clockwise neighbor. In any computation, the 
system is allowed to change the value of the token at most a bounded number of times, 
say b. Allowing an unbounded number of value changes to the token could, in general, 
make a family of such systems Turing-powerful [17] and hence the corresponding PMCP 
undecidable. 

Formally, process P is defined to be a labeled transition system given by the tuple 
(S' X U {-L}), E, P, (i, _L)), where 

- is the finite set of values that t can take, with _L^ V. 

- S X (F U {-L}) is the set of states of P with pair (a, u) € S x (1^ U {-L}) indicating 
that P is in local state a; and v is the value of t in case P possesses t, else v =_L. 

- (i, _L) is the initial state of P. 

- E, the set of actions, is the disjoint union of the set of “internal” actions Ei, the set 

of “token dependent” actions Etd and the set of token transfer actions {sndy, 

rcvy}. 
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- R, the transition relation, is the set of all transitions (a, v) (5, v' , D), with D G 
Dir = {counterclockwise, clockwise, undefined}, where 

• I G Si implies that v = v' and D = undefined. 

• I G Std implies that v = v',v G V and D — undefined. 

• I = rcVu implies that v =_L, v' = u and D = undefined. 

• I = sndu implies that v G V,v' =_L and D G {clockwise, counterclockwise}. 

• if a = i and v =_L, then I = rcw„, for some u G V, viz., the only possible initial 
action is a receive. We also assume that along any path of P send and receive 
actions alternate. 

In this paper, for simplicity we consider only bidirectional rings where the processes 
are deterministic. A bidirectional ring system comprised of n copies of a process template 
Pis denoted by P” and is represented as (Pg, ..., P„_i) to emphasize the fact that process 
-Pi+l* has Pj as its counterclockwise and Pj +2 its clockwise neighbor. Analogously, 
(sg, ...,s„_i), where for each i, Si G Sp, represents a global ‘cyclic’ state of P”, 
with process Pi in local state Sj. We assume that the send and receive actions of two 
neighboring processes synchronize when transferring a token. 

The (Single Index) PMCP for Bidirectional Rings. To decide whether for all n, 

P"+*, (xa") 1= h(m), where ( a;a"), the initial configuration of p^+\ is such that x 
is a fixed sequence of local states of P of length I > m and h(m) is a LTL\X formula 
over the local states of process P^ ■ We assume that initially the token is in the possession 
of process Pg. 

Linear Tape and Circular Tape Turing Machines. A (linear tape) Turing Machine M 
is defined to be a tuple of the form M = ((5,A'U{U,P},^, < 7 g) where, 

- Q is the set of states of M 

- < 7 o G Q is the initial state of M 

- £'U{U,P}is the set of tape symbols with ‘U’ being the blank symbol and ‘P’ the 
left end tape marker such that A'n{U,P} = 0. 

- 6 C Q X S U {U, P} X Q X S X {L, R} is the transition relation. Since P is the 
left-end tape marker, we assume that if {p, P, q, b, D) G 6, then b = P and D = R, 
i.e., cell 0, containing P, always reflects back the head to the right. 

In this paper, for Turing Machines with linear tapes, the cell containing P will be 
referred to as cell 0 while the Ah cell to its right is referred to as cell i. 

Analogously we define a Circular Tape Turing machine (CTM), M = {Q, S, 6, go) 
on the tape cells 0, ...,m where, transition relation bCQxSxQxSx {L,R}, 
has the property that on a right move from cell m the head ends up at cell 0 and on a 
left move from cell 0 the head ends up at cell m. Note that in this case because of the 
circular topology of the system, the left and right directions are not well defined but we 
interpret them as the clockwise and counterclockwise directions, respectively. 

Modeling Bidirectional Token Rings as Circular Tape Turing Machines. Consider 
the sequence of transitions of og — > oi — > ... — > Uk — > ak+i of process P where 

* Here ‘-I-’ denotes addition modulo n. 
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for each i C [1 : fc — 1], /i is an internal or a token dependent transition. Note that since 
we consider only deterministic systems, it is clear that after firing the send transition 

oo oi, a process has to execute all the actions li, lk-i,rcvy in the order listed to 
receive the token again. Thus we can, in effect, replace the firing of the above sequence 

Zl...Zfc irCVu 

of transitions with the firing of just one receive transition a\ — > Ufc+i . A similar 

observation holds for all internal and token dependent transitions sandwiched between 
a receive and a send transition in which case we can replace all these transitions with 
a single send transition. Thus, it suffices fo consider processes P where each transition 
of P is either a send or a receive transition with send and receive transitions alternating 
along any path in the transition diagram of P. 

Using this assumption, we can now readily see that the ring P" = 
with token t comprised of n copies of process template P = (S' x (U U {-L}), P, R, 
(i, _L)) can be looked upon as the CTM, C” = (V, S, 6, i) with one head and tape cells 
0, ..., n — 1. Here cell i corresponds to process P^ with the local state of P^ being looked 
upon as the tape symbol in cell i. The token t can be thought of as the head of the CTM 
with the value of t being the state of the head. Transition (p, a) {q, c,D) G 6 iff 

for some b G S, both the transitions (a, _L) {b,p) and (b,p) (c, _L, D) are in 

R. 

Thus the PMCP defined before can now be reformulafed as follows: To decide 
whether for all n, C"+*, (xa") \= h{m), where x is a sequence of tape symbols of 
S of length I and /i(m) is a LTL\X formula over the tape alphabet of cell m, with m < k 
We assume that for each n, in the initial cyclic configurations (xa"), the head is placed 
at cell 0. 



3.1 Linear Tape Turing Machines 

We begin by showing that the behavior of a given deterministic one state Turing Machine 
M can be deduced from an analysis of the structure of the transition diagram of the control 
state of M. 

Let M = {Q, P U {P, U}, 6, qo) be a given deterministic Linear Tape Turing Ma- 
chine. We assume that M has just one control state, say q, and that the head of M is 
initially placed at cell 0 with the rest of the tape cells each containing the empty symbol 
‘U’. 

We define the transition graph of M as the directed graph G = (V,E), where V = 
XUlU} and E = {{a,b)\a,b G XU {U}, ^(<7, a) = {q, b, D),with D G {L,R}}. Since 
we are considering a Turing machine with a solitary control state, in any configuration, 
the direction in which the head of M moves depends only on the symbol it is currently 
reading. Thus each tape symbol in XU {P, U} can be characterized as either a left-symbol 
or a right-symbol depending on whether the head moves left or right upon reading it. 
Given symbol a G X U {U}, let Ga denote the subgraph of G induced by the set of 
symbols reachable from a in G. We say that symbol a G X is writable iff M starting at 
cell 0 on the empty input, with each non-zero cell containing U, writes a in some tape cell 
in finitely many moves. Symbol a G X U {U} is readable iff M, starting on the empty 
input, reaches a conhguration in finitely many steps in which the head is positioned at a 
cell containing a. 
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Since M is a deterministic Turing Machine, each node of G has out-degree at most 
one. To start with, each non-zero tape cell contains U and so for a symbol to be writable 
it has to be reachable from U in G. We may therefore assume, without loss of generality, 
that all symbols are reachable from U in G. Thus G is either a simple path starting at U 
or a ‘lollipop’ of the form ag — > ... ^ Ok — > ... ^ Od ^ Ok, where ag = U. We begin 
by considering the case where G is the simple path uq ^ ^ Ok starting at U. Later 

we show how to reduce the analysis for the case where G is a lollipop to this case. 

Definitions and Notation. Let a,b € L’ U {U} be such that there is a path from a to & 
in G. We dehne the depth of b with respect to a, denoted by d{b, a), to be the number 
of states, not including b, in the unique path from a to b. Analogously, the left-depth 
{right-depth) of symbol b with respect to a, denoted by dL{b, a) {du{b, a)), are defined 
to be the number of left (right) symbols, not including b, along the path from a to & in G. 
We abbreviate d{a, U) as d{a) and refer to it simply as the depth of a. Similarly, U) 
{dn{a, U)) is abbreviated by dL{a) (d]i{a)) and called the left-depth {right-depth) of a. 
We write a < bto mean d{a) < d{b). 

The content of the ith tape cell after the nth move of M is denoted by t{i, n). For 
j > 1, we call the portion of the tape comprised of cells numbered greater than or equal 
to j, the interval starting with j and denote it as I{j). For each interval I{j), we dehne 
the traversal number of I{j) after move n of M, denoted by trav{j, n), as the ordered 
pair {k, 1), where k is the number of times the head moved from cell j — 1 to j, viz., 
entered interval I{j), among the hrst n moves of M, and I is the number of moves made 
by the head from a cell inside the interval, viz., the cells j, j -f 1, ..., after it entered the 
interval for the fcth (last) time. 

Key Results. The analysis of the behavior of a single state deterministic Turing machine 
rests on the following two facts: 

1 . If in the initial conhguration of M, the head is placed at cell 0 and each cell of the 
tape contains the empty symbol U, then after hnitely many steps of M the contents of 
the tape form a non-increasing (depth wise) sequence of tape symbols. 

2. Symbol a G 27 is readable iff for each b < a, du{b) < dL{b). 

Proposition 3.1 (Monotonicity Result). For i > \, we have t{i,n) > t{i -\- l,n). 
Furthermore, if after n moves the head is positioned at cell h < i and t{i, n) ^ U, then 
n) > t{i 1, n). 

An immediate consequence is the following. 

Corollary 3.2 For i < j, we have t{i, n) > t(j, n). 

Using the above results, we next show that a necessary and sufficient condition for 
a tape symbol a to be readable is that for all 5 < a, we have dn(b) < dL(b). 

Proposition 3.3 If a G 27 is readable then for all b < a, dn{b) < dL^b). 

Proposition 3.4 Let Ui G 27. If for all j < i, dn{aj) < dL^aj), then ai is readable. 

Predicting the Behavior of Linear Tape Turing Machines. Let Uj be written in cell 
k in move and in cell A: -f 1 in move rrij^^^ . Consider the configuration of the 
tape between moves rrij^. and . All the cells from Otok have aj written in them. 
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Since cell k+ \ gets written by aj in finitely many steps, only finitely many, say k + l, 
cells of the tape are visited in moves. Then t{j, n) = U for all j > k + I + 1. 

Consider now the configuration of the tape after execution of step — 1. Since in 

the very next step aj is written in cell fc + 1, the head is currently at cell fc + 1. Then 
using proposition 3.1, we have that Oj = t{k,mj^) > t{k + l,mj^) > t{k + 2,mj^) > 
t{k + 3,mj^) > ... > + /, TOjj,). Therefore it follows that I < k+l = |G|.Thuswe 

see that configuration of the tape forms a non-increasing sequence of length k + I with 
the remaining cells containing the blank symbol. We consider two cases. 

(a) Simple Paths. First assume that G is the simple path ag ^ ... ^ Uk- There are two 
sub-cases to consider: 

Assume first that Ok is readable. By definition of readability, there is a reachable 
configuration c of M wherein the head after, say n moves, is at tape cell i > 1 containing 
Ok. Since the tape configuration forms a non-increasing sequence, it follows that if Ok 
is readable, then it will be read first in cell 1 . Clearly, after reading Ok, the head cannot 
make any more moves and so M deadlocks in cell 1 . Thus by the above comment, in 
this case only k + l tape cells were visited during the computation before M deadlocks 
in cell 1 and the visited tape cells contain a non-increasing sequence of non-empty tape 
symbols of length at most k + 1 = |G|. 

Next assume that Ok is not readable. In this case M cannot deadlock, for otherwise 
symbol Ok would be readable. Let aj be the symbol of least depth, j, such that du{aj ) > 
d.L{aj). Clearly, Oj-i is a right symbol and dii{aj-i) = dL{aj-i) and so dft.{aj) = 
dL{o-j) + 1- Then using propositions 3.3 and 3.4, we have that all symbols less than 
or equal to aj_i are readable but Oj is not. Thus aj is writable but is not. Since 
by corollary 3.2, for all n,i ^ 1, we have that t{i,n) > t{i + l,n), we have, using 
the same argument as in the previous case, that the first cell into which aj is written is 
cell 1 . Since aj is a right symbol, after writing aj the head move to the right to cell 2 
and then never visits cell 1 again, for otherwise would be writable. Thus from the 
above comments we have that when Oj+i is written into cell k all cells 0, ..., fc contain 
Oj+i, all cells k + I + 1, ... contains the blank symbols and cell k + 1, ..., k + I form a 
non-increasing sequence with I < j + 1. Thus we can liken the computation to a wave 
front that moves along the tape from left to right such that to the right of the front all 
cells have the symbol U while to the left all cell have the symbol aj . Thus, in this case 
the computation is unbounded, viz., every cell of the tape is visited at least once. We say 
that the computation diverges. 

(b) Lollipops. We now consider the case when G is a lollipop, say L = ag ^ ... ^ 
Ok — > ... ^ ttd ^ Ok- Note that in this case the machine never deadlocks because no 
matter what symbol the head is currently reading, there is always a move it can make. 
Let be the ‘unrolling’ {a'j^Q = ao...ak(ak+i...Odak)“ of L. From the discussion in 
the previous section, it follows that we all we need to do is decide whether there exists an 
i such that dn{a'f) > di,{a'f) and, if yes, find the least such i. Let Cl and Cr denote the 
number of left and right symbols, respectively, in the cycle Uk-.-Ud and ic = d — k + 1 
denote the length of the cycle. Then we can show that if for some i, du{a'f) > dL{a'f) 
then there exists such an z G [0 : k(d — k + 2)] and hence such an z can be determined 
efficiently in time 0(|Gp/op(|G|)). 
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Using the result for the case when G is a simple path we see that if there exists an 
i such that dn{a[) > then a front develops writing a' to its left, where j is the 

least i with the above mentioned property. If no such i exists then no front develops 
and thus cell 1 is visited infinitely often during the computation. In this case if the 
cycle of the lollipop contains a right symbol then the computation of M on the empty 
string is unbounded. On the other hand, if all symbols in the cycle are left symbols then 
since Ok is readable and all symbols appearing after Ok in the lollipop are left symbols, 
so after reading Ok the head shuttles between cells 0 and 1 without visiting any other 
cell thereafter with tape symbols being written repeatedly in following cyclic fashion 
Ofc+i ^ ... ^ Od ^ Ofe in cell 1. 

The above discussion can be summed up as follows. 

Proposition 3.5 (Behavior Lemma). Let M be a given linear tape Turing machine with 
only one control state. Then one of the following holds. 

— the head of M eventually deadlocks in cell 1 

— the head of M diverges 

— the head of M eventually shuttles between cells 0 and 1 indefinitely. 

Furthermore, if G is the transition graph of M, then the behavior of M can be 
decided in time 0(\G\'^log\G\). 

3.2 The PMCP for Bidirectional Rings 

We now show how the results for linear tape Turing machines with a solitary state can 
be leveraged to give decision procedures for the PMCP for bidirectional rings. The 
connection between Turing machines and rings is established via the Ring Traversal 
Lemma using the notion of crossing numbers discussed below. The PMCP for rings 
can equivalently be formulated as follows: given a LTL\X formula li(m) with atomic 
propositions over the local states of process P^, where m S [0 : / — 1], does there 
exist n such that G^’*'", (xa”) \= E/i(m) ? We assume that in each of the initial cyclic 
configurations (xa"), the head is placed at cell 0. 

Notation. We refer to the counterclockwise and clockwise directions along the circular 
tape of as right and left directions, respectively. We assume that tape cells 0, . . . , n + 
( — 1 of G"'*'* are arranged in a counterclockwise direction in the order listed. For any 
interval, viz., a finite set of adjacent cells along the circular tape, when traversing the 
cells of the interval in the counterclockwise direction, the cell encountered first is called 
the left end of the interval whereas the cell encountered last is called the right end of 
the interval. For G"'''^ cells 0, 1 containing the input sequence x is designated 
as interval X while the set of remaining cells, each containing the tape symbol a, is 
designated the outer ring. As for Turing machines with linear tapes, we let G denote the 
transition graph of G"“*"* and Ga the subgraph of G induced by the set of all symbols 
reachable from a in G. 

Strategy. We begin by outlining our strategy. For a ring of size n + l, starting at the initial 
cyclic configuration (xa"), we construct a transition diagram Gx{n) on the configura- 
tions of interval X, where each configuration is given by the contents of the tape cells 
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constituting X along with the cell number of X on which the head is currently placed. 
If from a configuration c of X, the head moves outside interval X, then if the head does 
not re-enter X, then c has no successor in Gx (n), else the successor is the configuration 
that results when the head re-enters X. In the second case, the transition that results is 
called an external transition of Gx{n). All transitions of Gx{n) that are not external 
are called internal and correspond to movements of the head within interval X. Since 
M is a deterministic Turing machine, Gx (n) is either a simple path or a lollipop. Note 
that since we are interested in the ‘behaviour’ of cell m belonging to interval X, there 
exists n such that M, (xa") j= Eh(m) iff there exists n such that Gx{n) |= E/i(m), 
where in both cases the formula /i(m) is interpreted over the tape alphabets in cell m. 
We show the existence of a cutoff c > I such that for all j > c, the transition diagram 
Gx{j) is the same as Gx{c). This reduces the PMCP to determining whether there 
exists i G [1 : c] such that M, (a:a*) |= E/i(m), i.e., model checking at most c finite 
state systems, which is clearly decidable. We point out that we do not actually construct 
Gx(n) but merely use it to prove our cutoff result. Towards that end, however, we need 
to elucidate the structure of Gx{n). Note that the internal transitions of Gx{n) are easy 
to figure out as they correspond to movements of the head within interval X. But for the 
external transition, the key question that needs to be answered is that in case the head 
leaves interval X whether it re-enters X again and, if yes, then the direction from which 
it re-enters X and the configurations of both interval X and the outer ring on re-entry 
in relation to the configuration of the outer ring on the last exit. We address this issue 
next. 

Ring Traversals. Let (xa*) denote the set of cyclic configurations wherein all cells 
other than the one containing sequence x contain the tape symbol a. We now show that 
if M starts at the configuration (xa*) with the head positioned inside interval X, then 
the above result says that if the head exits X for the kih time, then it cannot shuttle in 
the outer ring forever, but (a) it either re-enters X, or (b) it deadlocks outside X, and 
in both cases when that happens the configuration of the ring is of the form {yx' zh*) 
where \x'\ = |a;| and y and z constitute the ‘out-growth’ of the sequence in interval X 
during the fcth ‘excursion’ of the head outside X. The ring traversal lemma given below 
allows us to quantify the length of this outgrowth. The key idea is that starting from a 
cyclic configuration of the form (yxza^) with interval X containing the sequence x, if 
the head exits X on the right, then the head may re-enter X on the right thus completing 
an external transition or deadlock outside X without diverging in the outer ring. The 
interesting case occurs when the head diverges in the outer ring, say from the right end 
of interval Z (containing z) in the counterclockwise direction. Because of the circular 
nature of the tape, the head enters interval Y (containing sequence y) from the left end. 
There are three possibilities now. The head may in finitely many moves either (1) re- 
enter X from the left without diverging again in the outer ring again, thus completing the 
external transition, or (2) deadlock without re-entering interval X and without diverging 
again in the outer ring, or (3) diverge in the outer ring again, this time in the clockwise 
direction. In this fashion, we see that the head may keep on diverging back and forth in 
the outer ring till it either re-enters X from either the right or the left end, or it deadlocks 
without re-entering X. This is formalized in the ring traversal lemma, the statement of 
which requires the notion of crossing numbers defined next. 
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Crossing Numbers. Let y be a given finite string of tape symbols and let interval V 
comprised of cells 1, n of a linear tape, contain y. Let cell n + 1 contain A, where 6, 
the transition relation for M has the property that 6{q, A) = {q, A, L). Thus A merely 
‘reflects’ back the head to the left into Y. 

Then the left-right crossing number of y, denoted by CLR(y), is intended to capture 
the number of moves made by the head on the left end of interval Y, viz., from cell 1 to 
0, after the head enters interval Y at the left end and before it exits Y at the right end 
for the first time. Formally, CLn{y) is defined as follows. Starting at cell 0 (containing 
F), if the head ever exits interval Y on the right, viz., makes a right move from cell n to 
n + 1, then we define CLn{y) as the number of moves made by the head from cell 1 to 
0 before it exits Y to the right for the first time. If the head never exits Y on the right, 
there are three possible cases (1) the head either deadlocks in Y in which case Clr{Y) 
is defined to the number of moves made by the head from cell 1 to cell 0, viz., at the 
left end of interval X, before it deadlocks, or (2) the interval Y is exited to the left an 
unbounded number of times in which case we define CLR{y) as oo, or (3) after finitely 
steps the head keeps on shuttling in Y without exiting Y on either side thereafter. In that 
case, we define CLR{y) as _L. 

In general, for Di, D 2 G {L, R}, we may define to capture the number 

of moves made by the head on the end of interval Y , where D '2 G {L, i?} \ {D 2 }, 
viz., the opposite end from which the head is supposed to exit Y , after the head enters 
interval Y at the Dith end. 

Proposition 4.1 (Ring Traversal Lemma). Starting at the initial configuration (xa") 
suppose that when the head exits interval X for the kth time, the ring configu- 
ration is of the form {yx' zb*), where x' is the content of X. Ifn is greater than the max- 
imum of the minimum of Cll{z)\G\ and CLji{y)\G\, and the minimum of G}il{z)\G\ 
and GRR{y)\G\, viz., the ring is of sufficiently large size, then one of the following 
holds. 

1. the head deadlocks before entering interval X again. 

2. the head re-enters interval X after finitely many steps. 

In both cases, the resulting configuration is of one of the two forms: {y"y'x" z'c*) 
or {y' x” z' z” c*), where \x"\ = \x\, \y'\ = \y\, \z'\ = \z\ and \y"\, \z"\ are less than or 
equaltothe minimum of G hl{z)\G\ and Gnii{y)\G\ orthe minimum of GLn{y)\G\ and 
Gll{z)\G\ accordingly as the head exits X to the left or to the right. 

A crucial consequence is that the behavior of the head (as far as interval X is con- 
cerned) after exiting X for the fcth time is the same for all n greater than a threshold 
value, viz., the minimum of Gft.L{z)\G\ and G fui{y)\G\ or the minimum of Gi,ji{y)\G\ 
and Gll{z) | G| , the only difference being the number of cells in the outer ring containing 
the symbol c. This observation gives us the cutoff which we derive next. 

Generating the Cutoff. Using the above result, we next show the existence of cutoff 
c > I such that for all j > c, the transition graphs Gx{j) is the same as Gjc(c). Let 
(xa”) be the initial tape configuration with the head at cell 0. Recall that Ga is the 
subgraph of G induced by the set of all tape symbols reachable from a in G. Here we 
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consider only one case where Ga is a simple path with the other being handled in a 
similar fashion. 

Let Ga be the simple path oq ^ ... ^ Od- In this case, we have that the head can 
make at most d -P 1 moves from any cell of the ring without deadlocking. Then, from 
the definition of crossing numbers, it follows that Gdd (w) < d + 1, for any sequence 
w of tape symbols and any D,D' G {L, R}. Hence from the Ring Traversal Lemma 
4.1, it follows that after the head exits X in conhguration {yx' zb*) the length of the 
newly added intervals Y' and Z' containing respectively y” and z" is at most (d + 1)^. 
Since the head can exit interval X at most d + 1 times (without deadlocking), at most 
d -f 1 external transitions can be fired in Gx (n) for any n. Then, using proposition 4. 1 
repeatedly, we have that in all exits and re-entries of X, the total length of the newly 
added intervals is at most (d + 1)^. Thus in this case, for each j > c = I + (d + 1)3, 
Gx{j) is the same as Gx{c) and so the value of the cutoff is c = / -P (d -P 1)3. 

Multiple but Bounded Number of States. Using the fact that M is deterministic, we 
can reduce the analysis of the case where 5 > 1 changes are allowed to the control state 
to the repeated application of the case with one control case. Starting from the initial 
configuration {xa*) in state qg, the hrst step is to decide whether a state change occurs 
to the head and if, yes, then the resulting conhguration Cq after the move in which the 
change occurs. If a state change does occurs then we repeat the above step but starting 
in Co as the initial conhguration. But this is just an instance of the original problem but 
with one lesser state change allowed. Thus to study the behavior of M we need to carry 
out this procedure at most b times. 

Proposition 4.2 (Decidability Result). The PMCP for LTL\X properties is decidable 
for bidirectional rings with a token that is allowed to change value a bounded number 
of times. 



4 Applications 

The framework(s) presented in this paper are broad enough to model a variety of ring 
based applications. Our framework can model the Leader Election Problem and Token 
Ring LANs, neither of which could be handled by [11]. Examples that require bidirec- 
tional rings include bidirectional variants of all applications considered in [1 1]. However 
for lack of space, we consider only the Leader Election Problem. 

Leader Election Protocols. In local area token networks, a single token circulates around 
the ring giving it owner the sole right to initiate communication. If the token is lost, then 
the Leader Election Problem [15], is to elect a new unique leader to act as the new owner 
of the regenerated token. 

The LCR Leader Election Protocol. The Le Lann, Chang and Roberts (LCR) protocol 
assumes that each process Pi in a given unidirectional ring has an integer idi > 0 as 
a unique identiher not necessarily in increasing or decreasing order around the ring. 
The protocol works as follows: Each process Pi sends token ti with its identiher value 
idi around the ring. We model this by letting Pi own f . When a process receives a token, 
it compares the value of the token to its own identiher. If the value is greater than its 
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Fig. 1. The LCR Protocol 



identifier, it passes the token unchanged. If the value is less than its own it changes its 
value to 0. If the value is equal to its own, the process declares itself leader. The transition 
diagram for process Pi is shown in figure 1. Then from the discussion in section 2, it 
follows that P{ti) is the first (in case there exists one) process occurring along the ring 
in the clockwise direction with identifier greater than idi. 

We need to verify that for any arbitrarily large ring it is never the case that two distinct 
processes Pi and Pj declare themselves leaders, viz., / = Ef {leader i A leader j) is not 
satisfied. Since |P(fi) I, |P(fj) I < 1, has at most 4 processes. Then, we see using 

proposition 2.1, that we can reduce the reasoning of the leader election protocols for all 
rings containing processes Pi and Pj irrespective of their size to 6 canonical ring systems 
each with at most 4 processes. Since i and j were arbitrarily chosen, we have that since 
the LCR protocol is correct for the 6 canonical systems it is correct for any arbitrary ring. 

5 Concluding Remarks 

The generally undecidable PMCP has received a good deal of attention in the literature. 
A number of interesting proposals have been put forth, and successfully applied to 
certain examples (e.g., [1,2, 5,6, 14, 18]). However a lot of these methods suffer from the 
following drawbacks: much human ingenuity may be required to develop, e.g., network 
invariants; the method may not terminate; the complexity may be intractably high; and 
the underlying abstraction may only be conservative rather than exact. 

However for frameworks that handle specialized application domains decision pro- 
cedures can be given that are both sound and complete, fully automatic and in some cases 
efficient ([4, 7, 8, 1 1 , 12])). In this paper, we have considered the PMCP for LTL\X prop- 
erties for parameterized families of rings wherein processes communicate using message 
passing via tokens. Previous work, to the best of our knowledge, has only considered 
unidirectional rings with a solitary token that could not carry any values [11] and so mes- 
sages could not be exchanged between processes. Such systems have limited expressive 
power and cannot model, for instance, standard solutions for the leader election problem. 
We have extended the known envelope of decidability of the PMCP for ring systems 
to bidirectional token rings wherein the token can carry messages but only a bounded 
number of value changes to the token are permitted. Our reduction technique involves 
showing how to reduce reasoning about a ring with an arbitrary number of processes to 
a ring with up to a cutoff number of processes. In this paper, the reduction results were 
established for a bidirectional ring with a single token. A possible direction for future 
research is to study bidirectional rings with multiple tokens. 



Parameterized Model Checking of Ring-Based Message Passing Systems 



339 



We have also identified a broad unidirectional ring framework which allows multiple 
tokens with each token being allowed a bounded number of value changes. For this 
framework, we have shown that small cutoffs can indeed be obtained making our tech- 
nique truly efficient. For bidirectional rings, our methods are exact, viz., both sound and 
complete, and fully automated and for unidirectional rings provably efficient. Moreover 
the use of cutoffs has the added advantage that the reduced system is a replica of the 
original system but with a fewer number of processes. This is beneficial for several rea- 
sons. First it gives us a clean reduction as there is no need, e.g., to construct an abstract 
graph which may have a complex, non-obvious structure very different from the original 
system. Secondly, it caters to automatic error trace recovery. 
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Abstract. We present a novel third-order theory Wi of bounded arith- 
metic suitable for reasoning about PSPACE functions. This theory has 
the advantages of avoiding the smash function symbol and is otherwise 
much simpler than previous PSPACE theories. As an example we outline 
a proof in Wl that from any configuration in the game of Hex, at least 
one player has a winning strategy. We then exhibit a translation of theo- 
rems of wi into families of propositional tautologies with polynomial-size 
proofs in BPLK (a recent propositional proof system for PSPACE and an 
alternative to G). This translation is clearer and more natural in several 
respects than the analogous ones for previous PSPACE theories. 

Keywords: Bounded arithmetic, propositional proof complexity, 

PSPACE, quantified propositional calculus 

1 Introduction 

Theories of bounded arithmetic such as 5*2 and of Buss [1] are interesting 
for their close ties to computational complexity. For example, the S 2 hierarchy 
collapses if and only if S 2 proves that the polynomial-time hierarchy collapses 
[3,25, 16]. An important property of a theory is the computational complexity 
of functions that can be defined in it, and theories are known that correspond 
in this way to many natural complexity classes; see for example [7], [2], [13], [6]. 

Another important feature of theories of bounded arithmetic is that theorems 
can often be translated into families of tautologies with polynomial-sized proofs 
in a related propositional proof system. For example, propositional translations 
of theorems of Cook’s equational theory of polynomial-time functions, PV, have 
polynomial-sized extended Frege proofs [12]. 

1.1 Our Results and Related Work 

In his thesis [1], Buss introduced the first-order S 2 hierarchy but he also gave 
second-order theories and V 2 whose Af-definable functions are exactly the 
classes PSPACE and EXPTIME, respectively. The ability to reason about the 



* Research supported by Canadian Natural Sciences and Engineering Research Council 
grant PGSB-208264-2000 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 340-354, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




A Third-Order Bounded Arithmetic Theory for PSPACE 



341 



exponentially-large second-order objects gives the theory greatly increased power; 
for example, ¥ 2 ^ is otherwise identical to T 2 , whose A'J-definable functions are 
from the polynomial hierarchy. 

Now, Razborov [19] and Takeuti [24] independently showed a general method 
(the RSUV isomorphism) by which a first-order theory could be shown equivalent 
to a second-order theory: for example, the A']’-definable number functions of 
are the same as the -definable ^ ^ , functions of V^. Zambella [25] then 

gave a very elegant presentation of a second-order hierarchy {R*} equivalent to 
This second-order “viewpoint” has been adopted by other authors [8,9] 
and has the advantages of greatly reducing the number of axioms required due 
to the absence of (the smash function symbol) from the language and also 
simplifying the bootstrapping of the theories. 

In this paper we introduce a new third-order theory called designed to 
exploit both the above uses of a higher order in bounded arithmetic: Firstly to 
simplify the language, presentation and bootstrapping and secondly to reason 
about exponentially large objects. We show that the 27f-definable string func- 
tions of this theory are exactly those computable in polynomial space (PSPACE). 
Our witnessing theorem is much simpler than the analogous one for since it 
completely eliminates the complicated witnessing formulas of [ 1 ] and also uses a 
simpler comprehension scheme that does not necessitate adding comprehension 
rules to the sequent calculus. 

We also discuss a recent propositional proof system, BPLK [22], correspond- 
ing to PSPACE and give a translation of theorems of into families of propo- 
sitional tautologies with polynomial-size proofs in this new system. This trans- 
lation is very much simpler than the analogous one for and G, the quantified 
propositional calculus that is the only previously studied propositional proof sys- 
tem for PSPACE. This latter translation is from [17] and lacks many technical 
details that we suspect would be very tricky if written out in full. 

2 A Third-Order Language 

We consider a three-sorted (“third-order”) predicate calculus with free and 
bound variables of the first sort named a, &, c, ... and x, y, z, ..., respectively, and 
free and bound variables of the second sort named A, B, C, ... and X, Y, Z, ..., and 
likewise of the third sort named and X ,y, Z, .... The first sort is in- 

tended to represent natural numbers; the second, finite sets of natural numbers; 
and the third, finite sets of finite sets. The language £^consists of the following 
set of non-logical symbols: = { 0 , 1 , +,•,[• [ 2 , € 2 , € 3 , <, =}, the same as the 

set but with the addition of the third-order membership predicate 

A G3 B. Note in particular the absence of the smash function symbol. The ex- 
pression |A 1|2 is intended to represent the largest element of the set X. Such sets 
are interchangeable with finite binary strings under the following mapping, as 
in [9]: The set X represents the string with length [AT [2 — 1 whose bit is 1 
exactly when i €2 X. This map is a bijection with the exception that the string 
corresponding to the empty set would be undefined, so we define it to be the 
empty string. Third-order objects can then be thought of as sets of strings. 
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Number terms are defined identically as in V^, in particular not including 
any reference to third-order variables. Formulas additionally may have third- 
order variables and quantifiers. The hierarchy Uf of classes of formulas in this 
language is analogous to Uf and for second- and first-order formulas: Flf 
consists of those formulas with arbitrarily many bounded first- and second-order 
quantifiers, and exactly i alternations of third-order quantifiers, the outer-most 
being restricted, i.e. equivalent to an existential quantifier. We shall be con- 
cerned only with i € {0, 1}. Now, strict Flf -formulas are those consisting of a 
single existential third-order quantifier followed by a formula with no third-order 
quantifiers; we shall be mainly concerned with a slightly more inclusive class 
of formulas called , consisting of a single bounded universal second-order 

quantifier followed by a strict iff -formula. Restricting several schemes in our 
theory to this class will be justified in section 4 by the fact that an appropriate 
replacement scheme will be provable in our theory. 

Note that third-order quantifiers are not bounded, and in fact there does not 
seem to be any way to bound them since terms cannot reference third-order 
variables. Fortunately, in the appropriate fragment of the theory we shall be 
concerned with, these variables will always be implicitly bounded. 

3 The Theory 

Wi is a theory over the above-defined third-order language. The axioms of VFf 
are B1-B12 and L1,L2 of [8] (open axioms defining the function and predicate 
symbols in the language), (strict) V^iff-IND, and the following two comprehen- 
sion schemes 27f-2COMP: 

(3T < t(x, X))(yz < s(x, X))[(f>(x, X , X , z) ^ Y{z)] 
and rf-3COMP: 

(3y)(vz < s{x,x)mx,x,x,z) ^ y{z)\, 

where in each case (f) G Xq subject to the restriction that neither Y nor y, as 
appropriate, occurs free in (j). y{Z) abbreviates X G3 y, and similarly for Y{z). 

4 17®-Replacement Schemes 

In this section we shall show that VFf proves various replacement schemes, allow- 
ing third-order existential quantifiers to be moved past lower-order quantifiers. 

First, though, it is convenient to note that adding to VFf function symbols for 
its number- and string-valued Iff -definable functions results in a conservative 
extension. The proof of the present claim is analogous to that for first-order 
bounded arithmetic theories in section 2.3 of [1]. In that proof, a given S\- 
formula in the augmented language is shown to be equivalent to a constructed 
If)’-formula in the original language, and preserves strictness of the quantifier 
syntax. 
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D V(= U since all the axioms of the latter theory are in the former, 
can therefore A'^-define all number- and string-valued functions of number 
and string arguments from the polynomial-time hierarchy. By the remarks in the 
previous paragraph, we can add symbols for these functions to Wi and obtain a 
conservative extension. In particular, pairing functions such as (x, y), {X, Y) and 
{X,y) may be added. For a third-order variable A” define = X{{x,X)) 

and = X{{X,Y)), which make X into an array, with rows indexed by 

number or strings respectively, each row of which is a third-order object. Let 
represent string concatenation and — represent limited subtraction. With 
this in mind, we can state the Sf replacement schemes: 

Definition 1 (iff Replacement Schemes). 

Vx < y3X(j){x, y, X) ^ 3dfVx < y4>{x, y, 

yx < y3Xcj){X, y, X) ^ 3XyX < y<l>{X, y, 

, </>, (< , ' , . 

Theorem 2. Sf > ■ , , ■ , ; ■ / ; ' 

) Although the Af-IREPL scheme has a simpler proof, it 
can also be proved in the same way as the Af-2REPL scheme, so we sketch only 
a proof of the latter. 

This direction of the equivalence, namely that for (j){X, y,X) G Sf 
h 3XyX < y(j){X, y, D VA < y3X(j){X, y, X) 

is immediate. 

^ : The existence of a proof in Wi of this direction of the equivalence is itself 
proved by structural induction on (/). The base case of the induction is when (j) 
is Xq. let Ip be VA < y3X(p{X,y,X). Let 9{c) be the formula 

yX<{y- c)3XyY < c<p{X ^ Y,y,xX]). 

6{0) is a simple logical consequence of p), and Wp \~ pj A 9{c) D d{c+ 1) by use of 
A^-3COMP to combine two third-order objects (coding the two arrays of third- 
order objects for all strings of length smaller than y starting with A 0 and 
A ' 1 respectively) into one third-order object coding the array for all strings of 
length smaller than y starting with A. Thus Wp \~ ip A) 9{y) by V^Af-IND, and 
clearly Wp h 9{y) D 3AVA < y(p{X,y, This induction, incidentally, is the 

only place where V^Af-IND, rather than strict Af-IND, seems to be necessary. 

The induction step {(p ^ A®) is proved by putting the formula in prenex 
form and then applying the induction hypothesis several times to manipulate 
the quantifiers. We omit the details. □ 

The following is an immediate, useful corollary: 

Corollary 3. (p G Af ^ ^ ^ ^ ip G ^ trict Af ^ Wp h 

(p Ip 
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5 Definability in 

We know that Wi can A’®-define all functions (of string variables) from the 
polynomial-time hierarchy. In fact, Wi can iff -define all string functions com- 
putable in polynomial space: 

Theorem 4. / G ■ , , - 

Wl h yX3Y(j){X, Y) 

Wl h \/X\/Y\/Z{(j){X, Y) A (j){X, Z) D Y =2 z (Y =2 z . , . . 

{\Y\2 = \Z\2Ayx<\Y\2{Y{x)^Z{x))))) 

, ,, , X, <P{X,f{X)) ^ 

, ( , s ) The proof is by induction on the logarithm of the length 

(number of steps) of the PSPACE computation that for any initial configuration 
there is a unique ending configuration. In the induction step two computations 
of length 2* are pieced together using iff -3COMP. □ 

5.1 Strategies in Hex 

As an example, consider the game of Hex, which has recently achieved some 
notoriety in the form of propositional tautologies due to Buss [5] , Urquhart and 
others. These tautologies state that a finished game of Hex has a winner and 
are generally provable in Frege, resolution or weaker systems, depending on the 
formulation. The winner can be found in logarithmic space by solving a related 
graph reachability problem. A related problem is to determine which player has 
the winning strategy from a given configuration, which is PSPACE complete [20]. 
A Hex configuration is easily coded as a string, compared to which a strategy is 
an exponential-sized object coding a map from partially filled boards to moves. 
Thus there is a 2ff formula Strategyl(A') stating that there exists a strategy 
such that for any (game sized) sequence of moves by player 2, when player 1 
responds according to his strategy then he is the winner. There is similarly a 
iff -formula Strategy2(X), and as expected. 

Theorem 5. 

wl^yx[ .. (x)v. .. (X)]. 

, ( , . ) Given a configuration X, we can define continuations 

of X as those configurations reachable from X by play. This is a simple matter 
of counting the numbers of added pieces of each colour, and checking that no 
existing pieces have been changed or removed. Then it is proved by induction 
on the number of remaining moves in the game that from any continuation of 
X, some player has a winning strategy. The base case is a reformulation of the 
above tautologies and is thus easily provable in Wl- In the induction step, from 
a given position Y the induction hypothesis gives a winning strategy for some 
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player from each possible next position. If the current player can reach a winning 
position with a move then the strategy for the current position is amended to 
apply to the configuration Y by adding that move. Otherwise, a strategy for the 
other player is the merger of his strategies for all possible next positions. □ 

5.2 A Witnessing Theorem for 

To prove the converse of Theorem 4, namely that functions provably total in Wi 
are in PSPACE, we shall use a Buss-style witnessing argument, which requires 
that we define an equivalent sequent calculus formulation LK^ — of W^. 
We omit this for brevity, but it is essentially LK with the addition of second- 
and third-order quantifier introduction rules (replacing only free variables by 
quantifiers) plus the following V^Af-IND rule: 

r,<p{b)^d,{b+i),A 

where b appears only as indicated and </> G V^A'f . As initial sequents we allow 
all substitution instances of the axioms (other than induction) of Wi . Note that 
all rules of LK^ — are valid in Wi , and furthermore, LK^ — Wi proves the 
induction and comprehension schemes of W^. Formally, LK^ — Wl also adopts 
the usual conventions concerning free and bound variables, as in [4]. 

The standard definition of an anchored cut in LK^ is extended for LK^ — Wi 
by allowing cuts on the descendents of principal formulas of the V^Af-IND 
rule, in addition to cuts on descendents of formulas in non-logical axioms. The 
anchored completeness theorem for LK^ can then be extended to LK^ — in 
the usual way to cope with the induction rules, as detailed in [23]. 

With this in mind, we can now state the witnessing theorem we wish to prove, 
followed by several definitions: 

Theorem 6. . Wl h 3Ycj){X,Y), (j}{X,Y) G 

' ' /G ■ , , 

,, , . A, </>(A,/(A)) , 

Definition 7. tp = ^ t3X(j){X,X) G V^Af, ^ ^ 

, , , - , ' ^ ' 

, ^ A{A,B) satisfies ( . , . . , 

W ^ ^ ‘ i kAAB}{A{A,B))) , 



( , 




{B}{A{A,Bj) . , ; 


, / , ‘ , U , A 


Definition 8. 


S . 


r — > 


rlJAcV^Af, 



r = {iAi < Si3Ai'^i{Ai,A^,B,B,b)} , - 

A = {VQ < U3Abi{A,CuB,BA)}. 



, ; 
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PSPACE Oracle Witnessing Operators (POWOs),^ S 

yCi < ti3Ci6i{Ct,Ci,B,B,b) 

JjB ^ , 

° ‘ /i , ' ^ , 

){AMj,x)}C^ , 

, fi , , 

- . , , 

,, r , B,B,b^, 5 , _ , , , 

{MA„X)} 7, 

, <5, ,, {C'„A}/„, . 

. ' ' , ^ ^ ^ /. 

r, . - ' J ^ 



, Ai 



Now the theorem will follow from the following lemma: 

Lemma 9. . LK^ - h B — > A P U ^ C Af 

' , ■ , " , , . r-^A 

, , ■ . , , . . ' ) Suppose Wi h 3Y(j){X,Y), for 

(/)(A, Y) G El with all free variables displayed. By Parikh’s theorem, Wi h 
< t{\X\ 2 )(j){X,Y), for some term t. By Corollary 3, h (j){X,Y) ^ 
3y^p{X,Y,y), for some xp G Eq. Also, Wp h 3Y < t(|A|2)33ff/'(-^; 3^) ^ 

3y3Y < t{\X\q)'tp{X,Y,y). Applying the lemma to the sequent — > 3y3Y < 
t{\X\ 2 )'ii){X ,Y,y) , we obtain a PSPACE (in |A|) predicate for y satisfying that 
sequent, and so for particular X the string Y can be obtained in PSPACE by 
evaluating p), with access to the predicate y, on each string of length < t(|A| 2 ) 
in turn. It is easy to see that the computed string Y satisfies <3(A, Y) (for the 
same fixed X). □ 

All that remains is to prove the lemma: 

. . ' ) Suppose LK^ — Wp h F — > A, where E IJ A C 

, and consider an anchored proof tt of this sequent. Since both the endse- 
quent of 7T and every non- logical axiom of LK^ — Wp is , and since the in- 
duction rule is limited to this same class of formulas, every formula in tt is . 

We now show by induction on the number of sequents in tt that POWOs exist 
for r — > A. 

Base Case: The base case is that F — > A is either an initial sequent of 
LK^ or an instance of an axiom. The only such sequents requiring POWOs are 
those with a third-order quantifier in the succedent, namely an instance 

^ {3y){\fz < s(B,b)MB,BA,z) ^ y{z)] 

of E^-SCOMP, where (p G Eq, subject to the restriction that y does not occur 
free in (p. The only POWO required for this sequent is computed by the predicate 

f{B, B, b, A, Z) ^ |Z |2 < s(B, b) A <P(B, B, b, Z), 
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which is in some level of the polynomial-time hierarchy, and thus certainly in 
PSPACE. 

Induction Step: The induction step has several cases depending on which 
rule has been used to derive F — > A. 

1.-8. Weakening; Contraction; Exchange, introduction of V on the right and 
A on the left; Introduction of V on the left and A on the right; First- 
or second-order V : left and 3 : right; First- or second-order V : right and 

3 : left; Third-order 3 : left; and Third-order 3 : right: These cases are all 
easy and are omitted for brevity. 

9. The cut rule: 

The inference is 

F — ^ A F,(j) — > Z\ 

F — > ■ 

A POWO for the conclusion proceeds in two phases: First, it evaluates its 
formula using the POWO from the left hypothesis, and if that POWO sat- 
isfies the formula, it emulates it. Otherwise, it emulates the POWO from 
the right hypothesis, and uses the POWO for </> from the left hypothesis to 
supply a value for the oracle argument. The whole procedure uses at most 
the sum of the space requirements of the two POWOs from the hypotheses. 
If any free variables are eliminated, then as before a dummy argument of 
the correct type is supplied to the POWOs. 

10. V^A'f-IND: 

The inference is: 

T, </>(&) -^ 0(6 +1),Z\ 

The POWOs for the conclusion will iterate the construction from the pre- 
vious case, as the current instance of the induction rule could be simulated 
by t instances of the cut rule, along with some weakenings. 

More precisely, let be the POWO for the instance of 0 in the succedent 
of the hypothesis. Let 0 be any formula in the succedent of the hypothesis 
(including 0) and its POWO. We construct a POWO for 0 in the 
conclusion in stages: 
f°{X,Y) ^ U{X,Y). 

f^(X,Y) ^ (0(4-1) A f^-\X,Y)) V (-0(4-1) A f!;-\U,X,Y)). 

4 checks if satisfies 0 and if so, simulates f^. If not, 4 computes 

that is to say, uses to answer queries to the oracle argument 
corresponding to 0. 

4 checks if 4”^ satisfies 0 and if so, simulates 4”^- ’^ot, 4 computes 

4”'(W- 

4? then, evaluates t and computes f^. Computing 4 requires t times the 
space required to compute plus the space requirements of /^, and so 
only increases the space usage of POWOs by a polynomial factor. 

□ 
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6 The Propositional System BPLK 



In this section we review the sequent system BPLK [22], which is basically PK 
(i.e., the propositional fragment of LK) enhanced with the reasoning power of 
Boolean programs, defined below. These (Boolean programs) were introduced in 
[10] and are a way of specifying Boolean functions. They are something like a 
generalization of the technique of using new atoms to replace part of a Boolean 
formula, which idea is the basis of extended Frege systems. The following defi- 
nition is from that paper: 



Definition 10 (Cook-Soltys). 

, , , , , , 



Boolean Program 





fi{pi) := Ai 

Pi ^ ^ pi,...,Pki , , 

■ Pi , - , , - , , , , ' 

/ ' - I I I I ' formula ^ ^ 



fi, ■■■, fi-l 



The semantics are as for propositional formulas, except that when evaluating 
an application fi{(j)) of a function symbol, the value is defined, using the defining 
equation, to be Ai((j)). There is no free/bound distinction between variables in 
the language of Boolean programs. 

An interesting property of Boolean programs from [10] that demonstrates 
their comparability to quantified Boolean formulas is that evaluating them is 
PSPACE-complete. 



Definition 11 (BPLK). 



(7T,P) 




f{p) ■= A(p), 



f{cf),r^A 


/ : right 


(Substitution Rulej , - , 


, subst 



^{q,p) - 


r{q,p) 


A{(j),p) - 


r{(!>,p) 



r^A,A{f) 
, p 
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Simultaneous substitutions can be simulated with several applications of 
subst. The following is the main result of [22]: 

Theorem 12. ^ ^ ■ >>' > , • , , , 



7 Translation into BPLK 



In this section we define a translation || • || of formulas in the language of 
Wi (i.e. with no third-order quantifiers) into families of propositional sequents 
in the language of Boolean programs. Our main result is 



Theorem 13. 




<P{A) e Eg , . , IT 1 h 0(A) 

IHI . . , . 




This will follow directly from lemma 17 below. The definability of the proofs 
follows from the fact that they can actually be constructed in polynomial time. 

First, we can extend the definitions of a Boolean Program and of a BPLK 
proof as follows: 



Definition 14. Boolean Semiprogram , 
Definition 15. BPLK-Sequence 



(■. ) 



The following translation is defined for the larger class Eq (including free 
third-order variables) and is necessary for the main lemma in the proof: 



Definition 16. Ai, Ak) . Eq ^ 

, mi, ...,mk , , ' , ^ • J , , , 

,. , P= {PiA=^,-,k), Pi= {Pi,0,-;Pt,nik) , ' 

, , ' ^ 

“ . 0 , , , . . / S = t, t < S ^ t €2 T / ^ ^ 







. Ai S3 Aj 

9^, 



ll'/'ll ’ ■ — 9Aj(Pi,0j ■■■}Pi,mi) 
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3x < ttp{x) 




:= V„<JI^(n)ir- 

71 


..,mk 






s/x] s 




, n, ^ . 1 -1- ... -1- Ij 


pmi 




pmi,. 


..,mk 










■ ^ , 


Vx < t^{x) 






pmi 




prtii,. 














3X < tip{X) 


||^||mi,....rnfc _ 


-urn , - 




■*('*'*( i 



l<t 

qi, ■■■, qi) ■■= 0, qi, ■■■, qi) v i, <?*■, , , -qi) 

l<t ^ ^ i<l+l 

UiP) ■= V /li+i®- 

i<t 

(p , yx < t2jj{x) , , ,, , 

It is clear that for fixed </>, the size of is polynomial in mi-, , , .nik- 

Whenever we talk of BPLK proofs or BPLK-sequences involving translations of 
this form, we shall insist that the associated Boolean (semi-)program extend the 
(semi-)program resulting from the translation. 

The following lemma is the main lemma of the proof. In the previous section, 
since it is not possible to translate a general iff formula into the language of 
BPLK, we defined POWOs and used them to witness a sequent containing third- 
order quantifiers. Similarly, in the lemma below we shall translate sequents with 
third-order quantifiers as if those third-order variables were free, and then show 
that BPLK can prove the existence of a function symbol witnessing the sequent 
in much the same way. This aspect of the statement of the lemma is greatly sim- 
plified compared to the analogous lemma in [17], where to talk about an arbitrary 
witness to the antecedent of the sequent, the authors stated the lemma with arbi- 
trary formulas of the appropriate class substituted for the third-order variables. 

Since formulas in the proof are not all guaranteed to be strict Llf , due to the 
slightly more complicated induction scheme in IPf , the translations used in the 
lemma are actually translations of the equivalent form given by the replacement 
theorem (i.e. with the third-order quantifier moved to the front). 

Lemma 17. LK^ -IPfhr — F\JAc V^T'f , 

r = {iAi < Si3Ai'yi{Ai,Ai,B,B,h)} ^ _ 

= {VQ < U3CMC^,CuB,BA)}, 
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^ ... J Cp' , n) I 



, -[C’75cJ 



'■ (, > - 9Ai) 

^ mi,...,mk , - ni,...,ni 



9Ci , 



^ ^ , We show the existence of the desired BPLK-sequence by induction on the 
number of sequents in the Wi proof, in a manner very similar to the witnessing 
theorem of the previous section. The witnessing function symbols of the present 
lemma are analogous to POWOs. 

Base Case: This is trivial for initial sequents and the witnessing function 
symbol, if required, is defined to be the constant false predicate. For translations 
of axioms B1-B12, LI, L2 and instances of T’P2COMP, it follows from the 
analogous result for Vi and Extended Frege. For translations of instances of 
TipSCOMP, the witnessing function symbol has defining formula identical to 
the comprehension formula, and then the translation of the instance is proved 
using the introduction rule for this symbol followed by repeated substitutions 
and A : right inferences. 

Induction Step: There are cases depending on the final inference of the 
proof: 

1.-5. Weakening, Exchange, introduction of V on the right and A on the left; 
Contraction, introduction of V on the left and A on the right; introduction 
of first-, second- and third- order quantifiers: 

These cases are all straightforward and are omitted. 

6. Cut, Induction: 

The cut rule is handled by defining new witnessing function symbols for 
the conclusion by cases, using the witnessing function symbol for the cut 
formula. For induction this procedure is iterated as many times as the value 
of the induction bound. 

For example, if the cut formula is Cj), then a new wit- 

nessing function symbol hj for VCj < tj3Cj6j{Cj,Cj) would be defined as 
follows, where /i' is the witnessing function symbol for the hypothesis with 
the cut formula on the right, and h” that for the hypothesis with the cut 
formula on the left: 

h, := (||5,(C',,Cp')||p/g,J A h,) V 

□ 
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7.1 Consistency and Polynomial Simulation 

Now Cook [12] and later others [15], [17], [14], etc. showed that some bounded 
arithmetic theories can prove the consistency of related propositional proof sys- 
tems, and furthermore that any proof system whose consistency can be proved 
in the theory can be polynomially simulated by the related proof system. For 
completeness we mention the analogous results for and BPLK. 

Let BPTAUT(X) be a formula stating that the string X codes a tautological 
propositional formula in the language of Boolean programs, as follows: “for any 
assignment to the free variables, there exists a transcript of the exponential- 
length computation of the Boolean function symbol terms occurring in the for- 
mula such that the resulting truth- values satisfy the formula”. Clearly a Fif 
formula will suffice. Let PrfBPLK(Ff, V) be a Eq formula stating that X codes a 
BPLK-proof of the formula coded by Y. Then 

Theorem 18. 



Wl^\/X,Y[ .bplk{X,Y)d^ (F)] 

The formula in the theorem is called RFN(BPLK). 

I I , • ) By induction on the length of the proof, similar to the 

witnessing theorem, a transcript is constructed, for each assignment, of evaluat- 
ing the formula at that assignment. □ 

The next thing to show would be that if P is a proof system whose consistency 
can be proved in W^, i.e. h RFN(P), then BPLK polynomially simulates 
P. For U 2 , what is known is actually the weaker statement that if U 2 proves 
z — RFN(P), which is the consistency of P for Ef formulas, then G polynomially 
simulates P for proofs of those formulas. An analogous statement is almost cer- 
tainly true of Wl and BPLK simply because BPLK polynomially simulates G, 
and because Wl and U 2 are most likely related by an RSUV-style isomorphism. 
Of more interest is the statement for RFN(P), but this formula is likely not Eq 
for interesting proof systems (G or even BPLK, for instance), and so the usual 
techniques do not seem to apply due to the expressibility of formulas in the lan- 
guage of BPLK. A proof system with more expressive formulas, however, would 
be a candidate for this kind of statement. See the open problems for details. 

8 Open Problems 

Several future directions are indicated. First of all, one motivation for the defi- 
nition Wl was to simplify the axioms as much as possible, yet we were unable 
to limit induction to strict F7f formulas. One problem, then, is to prove the re- 
placement theorems of with this more restricted induction. There does not 
seem to be any good reason why this should not be possible. On the other hand. 
Cook and Thapen [11] have recently used KPT-like witnessing theorems to show 
independence of certain replacement schemes from various theories of bounded 
arithmetic, and their techniques may apply in this case. 
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Next, there are some unresolved technical issues regarding BPLK: The most 
pressing is to eliminate the substitution rule (analogously to in G) but at least 
the current proof of BPLK’s p-equivalence to G seems to rely on this rule in an 
essential way. See [21] for details. 

Another idea is to extend Wl to obtain theories for higher complexity classes. 
For example, by analogy to V 2 , extending the induction in Wl to full induction 
on the strings should yield a theory for EXPTIME, but this would be inelegant to 
state (although a more natural formulation may exist). Nevertheless, it should be 
possible to obtain theories for each level of the exponential-time hierarchy in this 
way, and with more work, for the linear-exponential-time hierarchy and others. 

Finally, the idea of having free function symbols in a BPLK proof seems 
quite general and suggests a direction for even stronger proof systems obtained 
by allowing function symbol quantifiers in a new kind of BPLK proof. Indeed, 
this would seem to be a modern version of the ^ ^ of Stanislaw Lesniewski 

[18] and would hopefully match the stronger theories envisaged in the previous 
paragraph. 



9 Acknowledgment 

Many thanks to Stephen Cook for countless helpful discussions on this topic. 
Thanks also to the reviewers for several important comments. 



References 

1 . S. Buss. Bounded Arithmetic. Bibliopolis, Naples, 1986. 

2. Samuel Buss, Jan Krajicek, and Gaisi Takeuti. On provably total functions in 
bounded arithmetic theories R\, U 2 and V 2 • la Peter Clote and Jan Krajicek, edi- 
tors, Arithmetic, proof theory and computational complexity, pages 116-61. Oxford 
University Press, Oxford, 1993. 

3. Samuel R. Buss. Relating the bounded arithmetic and polynomial time hierarchies. 
Annals of Pure and Applied Logic, 75(l-2):67-77, 12 September 1995. 

4. Samuel R. Buss, editor. Handbook of Proof Theory. Elsevier Science B. V., Ams- 
terdam, 1998. 

5. Samuel R. Buss. Polynomial-size frege and resolution proofs of st-connectivity and 
hex tautologies. Typewritten manuscript, 2003. 

6. Mario Chiari and Jan Krajicek. Witnessing functions in bounded arithmetic and 
search problems. The Journal of Symbolic Logic, 63(3):1095-1115, September 1998. 

7. P. Clote and G. Takeuti. Bounded arithmetic for NC, ALogTIME, L and NL. 
Annals of Pure and Applied Logic, 56(l-3):73-117, 29 April 1992. 

8. S. Cook and A. Kolokolova. A second-order system for polytime reasoning using 
Gradel’s theorem. In 16th Annual IEEE Symposium on Logic in Computer Science 
(Lies ’01), pages 177-186, Washington - Brussels - Tokyo, June 2001. IEEE. 

9. S. A. Cook. CSC 2429S: Proof Complexity and Bounded Arithmetic. Course notes, 
URL: ’’http://www.cs.toronto.edu/~sacook/csc2429h”. Winter 2002. 

10. Stephen Cook and Michael Soltys. Boolean programs and quantified propositional 
proof systems. Bulletin of the Section of Logic, 28(3), 1999. 




354 A. Skelley 



11. Stephen Cook and Neil Thapen. The strength of replacement in weak arithmetic. 
In LICSO 4 , 2004. To appear. 

12. Stephen A. Cook. Feasibly constructive proofs and the propositional calculus (pre- 
liminary version). In Conference Record of Seventh Annual ACM Symposium on 
Theory of Computing, pages 83-97, Albuquerque, New Mexico, 5-7 May 1975. 

13. Stephen A. Cook. Relating the provable collapse of P to NC^ and the power 
of logical theories. DIMACS Series in Discrete Math, and Theoretical Computer 
Science, 39, 1998. 

14. Jan Krajicek. On Frege and Extended Frege proof systems. In P. Clote, J. Remmel 
(eds.): Feasible Mathematics II, pages 284-319. Birkhauser, Boston, 1995. 

15. Jan Krajicek and Pavel Pudlak. Quantified propositional calculi and fragments of 
bounded arithmetic. Zeitschr. f. Mathematikal Logik u. Grundlagen d. Mathematik, 
36:29-46, 1990. 

16. Jan Krajicek, Pavel Pudlak, and Gaisi Takeuti. Bounded arithmetic and the poly- 
nomial hierarchy. Annals of Pure and Applied Logic, 52(1-2):143-153, 1991. 

17. Jan Krajicek and Gaisi Takeuti. On bounded X'} polynomial induction. In S. R. 
Buss and P. J. Scott, editors, FEASMATH: Feasible Mathematics: A Mathematical 
Sciences Institute Workshop, pages 259-80. Birkhauser, 1990. 

18. Stanislaw Lesniewski. Grundziige eines neunen Systems der Grundlagen der Math- 
ematik. Fundamenta Mathematicae, 14:1-81, 1929. 

19. Alexander A. Razborov. An equivalence between second order bounded domain 
bounded arithmetic and furst order bounded arithmetic. In Peter Glote and Jan 
Krajicek, editors. Arithmetic, proof theory and computational complexity, pages 
247-77. Oxford University Press, Oxford, 1993. 

20. Stefan Reisch. Hex ist PSPAGE-vollstandig. Acta Informatica, 15:167-191, 1981. 

21. Alan Skelley. Relating the PSPACE reasoning power of Boolean programs and 
quantified Boolean formulas. Master’s thesis. University of Toronto, 2000. Avail- 
able from EGCC in the ’theses’ section. 

22. Alan Skelley. Propositional PSPACE reasoning with Boolean programs 
vs. quantified Boolean formulas. In ICALPOf, 2004. To appear. 

23. Michael Soltys. A model-theoretic proof of the completeness of LK proofs. 
Manuscript, available on author’s web page, 1999. 

24. Gaisi Takeuti. RSUV isomorphism. In Peter Clote and Jan Krajicek, editors. Arith- 
metic, proof theory and computational complexity, pages 364-86. Oxford University 
Press, Oxford, 1993. 

25. D. Zambella. Notes on polynomially bounded arithmetic. The Journal of Symbolic 
Logic, 61(3):942-966, 1996. 




Provably Total Primitive Recursive Functions: 
Theories with Induction 



Andres Cordon-Franco, Alejandro Fernandez-Margarit, and 
F. Felix Lara-Martm 

Dpto. Ciencias de la Computacion e Inteligencia Artificial. 
Facultad de Matematicas. Universidad de Sevilla 
C/ Tarfia, s/n. Sevilla, 41012, (Spain) 

{acordon,f f larajOus . es 



Abstract. A natural example of a function algebra is TZ{T), the class 
of provably total computable functions (p.t.c.f.) of a theory T in the 
language of first order Arithmetic. In this paper a simple characterization 
of that kind of function algebras is obtained. This provides a useful tool 
for studying the class of primitive recursive functions in 7?.(T). We prove 
that this is the class of p.t.c.f. of the theory axiomatized by the induction 
scheme restricted to (parameter free) Ai (T)-formulas (i.e. ifi-formulas 
which are equivalent in T to 77i-formulas). 

Moreover, if T is a sound theory and proves that exponentiation is a 
total function, we characterize the class of primitive recursive functions 
in TZ{T) as a function algebra described in terms of bounded recursion 
(and composition). Extensions of this result are related to open problems 
on complexity classes. We also discuss an application to the problem on 
the equivalence between (parameter free) -collection and (uniform) 
Ai-induction schemes in Arithmetic. 

The proofs lean upon axiomatization and conservativeness properties 
of the scheme of Ai (T)-induction and its parameter free version. 



1 Introduction 

A function algebra is a family of functions that can be described as the smallest 
class of functions that contains some initial functions and is closed under certain 
operators. Classical examples of function algebras include the class of primitive 
recursive functions, VTZ, classes 5”, (n > 1), in the Grzegorczyk hierarchy and 
the class of Kalmar elementary functions, E (see [6, 13]). Another important ex- 
ample is given by 7^(T), the class of provably total computable functions (p.t.c.f.) 
of a theory T in the language of first order Arithmetic. The class TZ{T) can be 
used to obtain independence results for T and to separate it from other theories. 
On the other hand, if a function algebra, C, is the class of p.t.c.f. of a theory, T, 
then proof-theoretic and model-theoretic properties of T can be used to estab- 
lish results on C. This increases the methods available in the study of function 
algebras by adding to them techniques from Proof Theory and Model Theory. 
As surveyed in [6], function algebras provide machine-independent characteri- 
zations of many complexity classes and offer an alternative view of important 
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open problems in Complexity Theory. In this way, classes of p.t.c.f. constitute a 
link among Complexity Theory, Proof Theory and Model Theory that has been 
exploited in the work on Bounded Arithmetic (see [12]). 

In this paper we present a new example of the fruitful interactions among 
fragments of Arithmetic, function algebras and computational complexity. Given 
a function algebra, C, we introduce the algebra defined as the smallest class 
containing the basic functions (zero, successor and projections) and closed under 
composition and C-bounded recursion. We study the relationship between C and 

when C is the class of p.t.c.f. of a theory T. If C = 7^(T) then 

— (Theorem 4) C C VTZ C . Moreover, if C is closed under bounded minimiza- 
tion, is the closure of C H VTZ under composition and bounded recursion. 

— (Theorem 5) Assume that C is closed under bounded minimization. Then 
C n VTZ = if and only if there exists a theory T' such that E^ = T^(T'). 

For the proof of these results the concept of a Z\o-generated function algebra 
is introduced. A function algebra, C, is Z\o~generated if (it contains Grzegorcyk’s 
class A4^ and) each function in C can be obtained as a composition of two 
functions in C with Z\o-definable graph. We prove (see Theorem 1) that a function 
algebra is Zip-generated if and only if it is the class 7^(T) for some theory T 
(extending IZlp). 

If C C VIZ is closed under bounded minimization, then Theorem 5 states 
that C = E‘~ \i and only if E^ is Zip-generated. This fact has interesting appli- 
cations to complexity classes as IFph (computable functions in the Polynomial 
Time Hierarchy, that is, IJ^i Buss’ terminology, see [10]) and IFlth 

(computable functions in the Linear Time Hierarchy, see [6]). Both classes are 
contained in VTZ and are Zip-generated and closed under bounded minimization: 

— IFlth = = T^(lZlo) (see [ 6 , 16 ]), and 

— = 7^(lZlp -I- fii) (see [10]), where iZip -|- fli is the theory introduced by 
A. Wilkie and J. Paris in [17]. 

But ^ £2 ^ J^linspace (R.W. Ritchie, see [6]) and E^^^ = J^pspace 

(D.B. Thompson, see [6]). Therefore, by Theorem 5 it follows that: 

1. If IFpspace is Zip-generated then IFpspace = IFph. 

2. If IFlinspace is Zip-generated then IFlinspace = IFlth. Or, equivalently, 
E"^ = if and only if E^ is Zip-generated. 

These facts suggest that a deeper knowledge of structural properties of Zip- 
generated function algebras (specially, construction of non Zip-generated func- 
tion algebras) could be relevant in the study of complexity classes. They also 
raise a natural question: if C = 77.(T) and E‘" is Zip-generated, is there a natural 
theory T' such that TZ(T') = E^l We obtain an answer to this question from 
the study of induction schemes for Zli-formulas. Let IZli(T)“ be the theory 
axiomatized by induction scheme restricted to parameter free Zli(T)-formulas. 

— (Theorem 2) 7^(IZIl(T)-) = C C VU. 
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So, from Theorem 5 we get that, if C is closed under bounded minimization 
and is Zip-generated, then = 7^(lZ\i(T)~). 

Next step is to find conditions ensuring is Zip-generated. Classes £^ are 
a generalization of Grzegorcyzk’s classes 5" and it is well-known that if expo- 
nential function is in £", then bounded recursion can be reduced to bounded 
minimization (see [6, 13]). But bounded minimization has a straightforward for- 
mulation in the language of first order Arithmetic and as a consequence (for 
n > 3) 5” is Zip-generated. The key ingredients in the proof of this fact are 
exponential function (which allows for coding of sequences of arbitrary length) 
and Ai-collection principle (as a suitable formulation of the combinatorial prin- 
ciples involved). These arguments lead to a natural condition for £^ to be a 
Zip-generated function algebra and relate the study of £^ to the problem on the 
equivalence between the schemes of Ai-collection and Zli-induction in Arith- 
metic (see [7]). In [3,5], L. Beklemishev obtains iT 2 -axiomatized theories that 
are not closed under Ai-collection rule or Zli-induction rule. He proposes classes 
of p.t.c.f. as a tool to separate the fragments IZli and BAi. Recently (see [15]) 
T. Slaman has proved that IZli -I- exp is equivalent to BAi -I- exp (where exp is 
a iJ 2 -sentence expressing that exponentiation defines a total function with Zip 
definable graph (see [10])). So, Beklemishev’s approach must fail. Nevertheless, 
as we shall show, classes of p.t.c.f. could be used to obtain positive results on 
fragments of Arithmetic. Motivated by Beklemishev’s work in [3,4, 5], we study 
the classes of p.t.c.f. of the theories iZli(T) and LZli(T) introduced in [9], and 
their relationship with the uniform counterpart of Slaman’s result. 

Theorem 5 holds for C closed under bounded minimization. We prove that if 
Theorem 5 also holds under the (apparently weaker) following hypothesis: 

(IC) C = 7^(T) and T extends IZIi(T), 

then a (weak) uniform counterpart of Slaman’s result can be obtained, namely, 
theories BA]" -f exp and UIZli -I- exp are equivalent, modulo 77i-true sentences 
(see Theorem 7). Last equivalence can be also obtained from Slaman’s theorem 
and Ap-conservativeness between IZli 4-exp and UIZli 4-exp (see corollary 6 in 
[5]). However, we present an independent approach stressing the role of function 
algebras via classes of p.t.c.f. 

Our main tools for the proofs are axiomatization and conservativeness results 
for lZl„+i(T) and Herbrand analyses, essentially along the lines presented by 
W. Sieg in [14]; however, we work in a model-theoretic framework, following J. 
Avigad’s work in [1]. 



2 Fragments of Arithmetic and Function Algebras 

Through this paper we deal with classes of p.t.c.f. of a number of theories. We are 
mainly interested in characterizations of these classes as function algebras. So, 
first of all, we introduce the theories and classes of functions we are concerned 
with. These theories are axiomatized by axiom schemes expressing classical prin- 
ciples in Arithmetic as induction, minimization and collection. 
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Let C = {0, 1, <, -I-, •} be the language of first order Arithmetic. The induction 
and minimization axioms for a formula ^p{x^ v) with respect to x are, respectively, 

l^,x(v) = </3(0,u) A Vx [ip{x,v) ip{x + l,u)] ^ \/xip{x,v), 

= 3a; (fi{x, v) 3x {(p{x, v) A\/z < x v)). 

The collection axiom for a formula (p{x,y,v) with respect to x,y is 
'^-p,x,y(,z,v) =Wx < z3yif{x,y,v) 3uWx < z3y < uip{x,y,v). 

As usual, we write I<^ instead of l^p^x and similarly we use and B^. 

All theories considered in this paper are extensions of P“ a finite set of Ui 
formulas whose models are the nonnegative part of a discretely ordered commu- 
tative ring (see [11]). Other theories are defined by restricting the schemes just 
introduced to formulas in the classes Sn or 77„ in the Arithmetical Hierarchy. If 
T is a class of formulas of £, then IT = P“ -|-{I,p : ip G F}. The theory LT is sim- 
ilarly defined using instead of 1^. For collection, BT = IZ\q -I- {B,^ : 
where Aq denotes the class of bounded formulas of £ (see [10, 11]). 

Induction schemes for Z\„+i-formulas will be also considered, IZ\„+i is the 
theory given by: 

P~ -I- {\/x{ip{x,v) ^ tp{x,v)) ly,{v) : (p{x,v) G Fn+i, ^{x,v) G il„+i}. 

If parameters, v, are not allowed, then we obtain the theory lA~_^_j^. The 
uniform version of induction scheme, UlZ\„_|_i, was introduced by R. Kaye. It 
is defined by considering the scheme Vw Vx {(p{x, v) <-^ tp{x, v)) ViTI<^(F). This 
theory is also studied by Beklemishev in [5], where it is denoted by sIAi. 

Definition. Let T be a theory in the language £. We say that f : uj'^ ^ uj is a 
provably total computable function of T if there exists a formula (f{x, y) G 
such that 

1. T h \/x3ly p{x, y). 

2. For all oi, . . . , a^, b G oj, f{a) = b Af ^ (p{a, b). 

Where N denotes the standard model of Arithmetic whose universe is the 
set of natural numbers, ui. In such a case, we say that ip{x,y) defines / in T. 

This definition is sensitive to changes in the language of the theory. If T is a 
theory in a language £' extending £, then 7^(T) will denote the class obtained 
by considering Ti (£')-formulas instead of Ti-formulas. 

The class 7^(T) has turned out to be a natural object, its closure properties 
(under certain operators) reflecting axiom schemes (or inference rules) provable 
in T. Thus, closure under primitive recursion corresponds to Ti-induction and 
bounded minimization to Ti -collection (see [2]). In particular, 7^(IT’i) = VTZ 
and TUIAq + exp) = £. 

It is easy to check that if ^ C Th 77 j^(A/”) and T is a sound theory (that 
is. A/" ^ T) then 7^(T) = 7?.(T -|- ^) (see [14]). The class 7?.(T) is determined 
by Th /72 (T) (the set of 7T2-sentences provable in T). The converse also holds 
modulo TTi-true sentences. 
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Proposition 1. , Ti T 2 , i72 - - . , , . . , IZ\q 



7^(Tl) =7^(T2) 

Ti + Thni(AA) ^ T 2 + Thy7i(AA). 

, We only prove (1) (2). By symmetry, it is enough to show that 

Ti+Th 77 j(A/’) =4> T 2 . Let 0(x, y) be a Z\o-formula such that T 2 F Va; 3y0{x, y). 
Let 9'{x,y) be the formula 0{x,y) A Vz < y^9{x,z). Since T 2 IAq, T 2 F 
yx3\y 9'{x,y). Let / be the computable function defined by 9' in M. Then, 
/ € 7^(T2); so, by (1), / G 7^(Ti). Hence, there is ^p{x,y) G Si defining / in 
Ti. Thus, N 1= (p{x,y) ^ 9'{x,y). In particular, Af ^ ^x,y {(p{x,y) 9'{x,y)); 

so, since this last formula is a Ui sentence, Ti + Th 77 ^(A/’) F yx3y9{x,y). □ 

Functions with a Z\o-definable graph will play a prominent role throughout 
this work. Let us introduce the following notation. 

We denote by Z\q the class of sets Z\q definable in the standard model. The 
graph of a function / is denoted by Gr{f) = {(a, h) G : /(a) = b}. If C is a 
class of functions, then C* denotes the class of subsets of w* whose characteristic 
functions are in C. Finally, given we write f < g to mean that for 

each a G /(a) < g{a). 

One of the aims of this work is to obtain descriptions of 7^(T) as a function 
algebra generated by means of some operators from a small set of basic functions. 
The considered classes of basic functions will always contain the set 



B = {S', O} U (77” : 1 < t < n} 



where S, O : u) ^ uj are given by S{a) = a + 1 and 0(a) = 0, and 77” : w” ^ w, 
by 7T”(ai, . . . , a„) = Oj. As operators, beside ^ ^ ^ consider: 

^ ^ ^ ^ If g : 0 ;'”+^ ^ w, then / = g<{g) is the function 

/ : ^ w defined by 



f{ai, . . . ,am,b) 



min({z : g{a,z) = 0}), if 3z < b{g{a, z) = 0)] 
0, otherwise. 



n+2 



, BR: A function / : ^ w is defined from g : w" 

to and C : ^ w by bounded recursion, if f < C and 



u, 



f{x, 0) = g{x); f{x, y + 1) = h{x, y, f{x, y)). 

In this case we write, / = BRc(g, h) and we shall say that / is defined by 
C-, ^ ^ ^ ^ ^ from g and h. 

Let IF be a class containing B. In this paper, C(lF) will denote the closure of T 
under composition and E(lF) the closure of T under composition and bounded 
recursion. We also consider the following slight (but crucial) modification of 
closure under bounded recursion. 

Definition. is the smallest class of functions containing B and closed un- 
der composition and iF-bounded recursion; that is, closed under C-bounded 
recursion for every C G IF. 
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Let us observe that C VIZ and \l T Q E^ , then C{T) C E^ C E(J^). 
Grzegorczyk’s classes, 5", can be described in the form E^ . For instance, let 
Vq, V\ and V 2 be, respectively, the classes of functions C{B), C{BLI {+}) and 
C{B U {-I-, x}), then, for j = 0, 1, 2, it holds that E^^ = E^ (see [13]). 

The basic function algebra in this paper will be Grzegorczyk’s class the 
closure of ,8 U {-k, x} under composition and (see [6, 13]). As we shall see 
(Proposition 3), is the class TZ{1Aq) and, therefore, all function algebras 
considered in this paper contain it. This motivates the following definition. 

Definition. An F-algebra is a family, C, of computable functions containing B 
and closed under composition. We shall say that C is rudimentary if Ad^ C C. 



A pairing function is available in Ad Let J : 



ui be Gantor’s function: 



Its lateral inverses K, L are given by K{a) = (^z)<a(3?/ < a{J{z,y) = a)) 
and L{a) = (/x2;)<o(3a; < a{J{x,z) = a)). Then J,K,L G Ad^. We shall write 
(x,y) = J{x,y) and {z)o = K{z), {z)i = L{z). 

Basic properties of Ad^ are summed up in next proposition (see [6] or [13]). 



Proposition 2. 

... /:w'=- 

( ) 

c ) Gr{f) G Z18 



A° = Ml 

to, , I 



U C, 



f<t 



As a consequence a characterization of 7?.(lZ\o) can be obtained. A proof- 
theoretic proof of this result was obtained by G. Takeuti (see [16]). 

Proposition 3. Ad2 = 7^(IZ\o). 

Hence, for every extension, T, of lZ\o the class 7^(T) is a rudimentary F- 
algebra. Now we introduce a necessary and sufficient condition under which a 
rudimentary F-algebra is the class of p.t.c.f. of some theory. The following results 
seem to be folklore and have appeared more or less explicitly in the literature (see 
proposition 4.1 in [2] and previous remarks in that paper). However, Theorem 
1 below does not seem to be known. As it was remarked in the Introduction, it 
provides interesting insights on open problems in Gomplexity Theory. 



Lemma 1. 

Gr(/) G 



C 



g & C . 



f <9. 



f ■■ to’^ 



^ ^ , Let h : ^ uo given by h(a, b) = (fj,z)<b[f{a) = z]. Since Gr{f) G Aq, 

then Gr{h) G Zip. By Proposition 2-(2), h G Ad^ C C. Let 5 G C such that f < g. 
Then /(a) = h{a,g{a)). Since C is closed under composition, f € C. □ 



Lemma 2. 

5G7^(T).. 



Gr{g)&Al 



. lAo 
f = Kog. 



. / G 7^(T) 
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^ ^ , For each / e 7?.(T) and ip{x,y,z) € Aq such that 3z ip{x,y, z) defines / 
in T, let ■4>{x,v) G Aq be the formula 

3y,z<v [{y,z) = vA ip{x,y, z) A\/z' < z^ip{x,y, z')]. 

Then T h Vx 3!y Tp{x, y). Let g be the function defined in Af by Then 

g G 7^(T), Gr(g) G and /(a) = K{g{a)). □ 

The above lemma motivates the following definition. 

Definition. Let C be a rudimentary F-algebra. We say that C is a Z\o-generated 
F-algebra if for each / G C there exist 51,52 G Co such that / = 51 o 52. 

The following result shows that Z\o-generated F-algebras correspond to classes 
of p.t.c.f. of extensions of IZio- 

Theorem 1. . n, . . . , c 

C . - Aq , , . , . . I , / 

C .. T IZio-. . . 7^(T) =C 

^ ^ , (2)=d>(l): It follows from Proposition 3 and Lemma 2. 

(1)=^(2): For each f G Co = {h G C : Gr{h) G Z\g}, let 6f{x,y) be a Z\q- 
formula defining / in Af. Let F = {Vx 5) : / G Co, / : w ^ w}. Next 
claim is a slight generalization of proposition 4.2 in [2] and it can also be proved 
along the lines sketched there. 

Claim: 7^(IZ\o + F) = C(A4^ U Co). 

Thus, 7^(IZ\o + F) = C(AI^ UCo) = C, last equality since C is Z\q- generated. 

□ 

3 Axiomatizing zl^_|_i(T)— Induction 

The aim of this section is to characterize the class of primitive recursive functions 
in 7^(T), where T is an extension of IAq, as the class of p.t.c.f. of a suitable 
theory. To this end, we consider the class of Z\„_|_i(T)-formulas: 

Z\„_|_i(T) = {(p{x,v) G Sn+i : there exists tp{x,v) G Hn+i, T h tf}. 

When the schemes of induction and minimization are restricted to these 
classes of formulas we obtain the theories IZ\„_|_i(T) and LZ\„+i(T) introduced 
in [9]. There the following version of the collection scheme is also considered 

B,* An+i{T) =lAo + {^^^x,y{z,v) : ip e F[n, 3yip{x,y,v)eAn+i{T)}. 

Let us state here some basic properties of these theories, for details and proofs 
see [9]. If V? G Z7„_|_i and G Iln+i then ip ^ if is a, iI„_|_2-formula. Therefore, 

- If Thn„+,(T) = Thn„+,(T') then IZ\„+i(T) ^ IZ\„+i(T'). 
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A similar result holds for minimization and collection. The following basic 
properties will be used without explicit mention. 

^ LZ\„_|_i(T) lZ\„+i(T) and B*Z\„_|_i(T) IT'„. 

— If T is an extension of II1„ then LZ\„_|_i(T) B*Z\„+i(T). 

As noticed in [9] , last property follows by an argument that mimics the proof 
of Gandy’s Theorem, LZ\i =4> Bifi, given in [10], lemma 1.2.17. A variation of 
that argument, considering also lemma 1.2.16 in [10], gives us that 

Lemma 3. Th/7„^2(T) + LZ\„_|_i(T) Th 7 j„_^ 2 (T) -|- B*Z\„_|_i(T) 

The following notion, introduced in [9], has turned out to be useful for the 
study of Z\„+i(T)-induction. 

Definition. We say that T has Z\„+i-induction if T lZ\„+i(T). 

Theories lZ\„-i-i(T) and LZ\„+i(T) are iT„+ 3 -axiomatizable. But adding to 
them Th 77 „+ 2 (T), their quantifier complexity is reduced to Un+ 2 - 

Lemma 4. Th/ 7 ^^ 2 (T) + l2\„+i(T) . , Th 77 „_^ 2 (T) + LZ\„_|_i(T) . , Un +2 

* . - - / I . 

In this section we shall obtain a useful axiomatization of (T) in terms of 

ISn+i and Th 77„+2 (T). To this end we introduce the disjunction of two theories, 
which corresponds to intersection between classes of p.t.c.f. 

If Ti and T 2 are theories in the language £, then Ti V T 2 denotes the theory 
axiomatized by the set of formulas {(pi V (/?2 : G Ti and <^2 G T 2 }. 

Lemma 5, , Ti, X 2 > . ”77.(Ti V T 2 ) = 77.(Xi) n 77.(X2) 

^ ^ ^ Since Ti, X 2 Xi V T 2 , it holds that 77.(Xi V T 2 ) C 77.(Xi) n 77.(X2). 
Conversely, if / G 7^(Ti) n 77.(T2), then there exist z), tp 2 {x,y,z) G 

such that 3z\pi{x,y, z) defines / in T^. Let 9q{x,u) G Aq the formula 
{tpi{x, {u)o, (u)i) V 'ip 2 (x, {u)o, (u)i)) and let 0{x,y) be the formula 

3z [6»o(x, {y, z}) AVw < {y, z) ^6»o(x, w)] . 

Then 9{x,y) defines / in Ti V T 2 . So, / G 7^(Ti V T 2 ). □ 

Next proposition is theorem 2.2 in [8]. Now it can be rephrased as follows. 

Proposition 4. , 2t Th/ 7 „^ 2 (T) . , 2t ^ IZ\„_i_i(T), , 2t ^ IN'n+i 

lL\n-|-l(T) ISn+l V Thy7„_^2(T). 

.* . , ,T .. Z\„+i .... , IZ\„+i(T) lifn+i V Th/7^^2(T) 

From this proposition, using Lemma 5, a first result on 77.(T)nP77. is obtained 
for theories with Z\i-induction. 
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Corollary 1. VU n 7^(T) C 7^(IZ\l(T)) 

,T .. Z\i . , 'P7^n7^(T) = 7^(IZ\l(T)) 

By Lemma 5, 7^(T) n VIZ is always a Z\o-generated F-algebra. To get a 
natural theory T' such that T^(T') = 7^(T) n VTZ without assuming that T 
has Z\i-induction, we consider parameter free versions of lZ\„_|_i(T) and ISn+i, 
denoted by IZ\„+i(T)~ and respectively. 

Theorem 2. , T 7^(IZ\l(T)-) = 7^(T) n 'P7^ 

^ ^ , By a similar argument to that of theorem 2.2 in [8], it is shown that: 

IZl„+i(T)- V Th,j„^,(T). 

Since VTl = by Lemma 5, 'P7^n7^(T) = V T) C 7^(IZll(T)-). 

Let us prove 7^(IZ\i(T)~) C 7^(T) CiVlZ. Obviously, 7^(IZ\i(T)~) C VTZ. 
Now, let us observe that IZ\^ is L' 2 -axiomatizable and, therefore, 

T + Th77i(Af) =y T + T + IZ\i(T)~ IL\i(T)-. 

So, by Proposition 1, 7^(IZ\l(T)-) C 7^(T + Thn, (Af)) = 7^(T). □ 



4 C— Bounded Recursive Arithmetic: C— BRA 

In this section we characterize 7^(T) H VTZ in terms of bounded recursion. Our 
main tool will be a version of the well-known system PRA (Primitive Recursive 
Arithmetic). Our analysis of this theory follows the lines sketched in [1]. 

Definition. Let C be a rudimentary F-algebra. The theory C-BRA, C-Bounded 
Recursive Arithmetic, is given by: 

- Language: Li, where 

• Lo = £ plus a function symbol Bf for each basic function, f G B. 

• Lj+i = Lj plus a function symbol, ft for each term of Lj, and a function 
symbol fti,t 2 ,g for each function g £ C and terms ti(x), t 2 {x,y,z) of Lj 
such that the function defined from t\ and ^2 by primitive recursion is 
bounded by g, i. e., h < g, where h : 0 ;”“'"^ ^ w is the function given by 

h{x,0) = ti{x), h{x,y+l) = t 2 {x,y,h{x,y)). 

— Axioms: 

(1) P^. 

(2) Bs{x) = x + l, Bn^{xi,...,x„) = x^, Bo{x)=0. 

(3) ft(f) = t{x). 

(4) =ti{x), fti,t 2 ,g(f,?/ + 1) = ^ 2 (®, 2 /,ftl,^ 2 .g(^, 2 /))■ 

(5) Open Induction: The induction scheme for open formulas of 

It is routine to check that C-BRA satisfies the following properties stated 
for PRA in [1]. 
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Lemma 6. , n 

C BRA ■ r . . ^ ^ , 

C BRA , Ag . I- 
C BRA . ^ ^ - 
C BRA . - H -« 



Lemma 7. TZ(C BRA) = 

^ ^ , Obviously C T^(C-BRA). Since C-BRA is a universal theory and 
supports definition by cases, the result follows from Herbrand’s theorem. □ 

Next we investigate the relations between VTZ n 7^(T) and . The key in- 
gredient is Theorem 3 below stating a conservation result between C-BRA and 
LAi(T). In the proof of that theorem we use the model-theoretic framework 
developed by Avigad in [1] . Let us recall some definitions and results from that 
paper that will be used in what follows. 



Definition. We say that a structure 2t is 32-closed (or Herbrand saturated, in 
Avigad’s terminology) if for each ip{x) G 32 and a G 2t such that 18 \= (p{a), for 
some 18, 21 Avi 18, it holds 2t \= (p{a). 



As it is proved in [1] , every universal theory has a 32-closed model. For these 
models the following results hold (see [1], theorems 3.3 and 3.4): 



Proposition 5. , 21 , , 32 u , . 

^\=yx3y9{x,y,a) , , , 

. 21 1= 3ru V'(a, w) 



6{x,y,z) . 

, . . I . 1 . \p{z, w ) . , 



1= ip^z, w) 9{x, ti(x, z, tc), z) V • • • V 9{x, tk{x, z,w),z). 



Proposition 6. , T 2 . . i - , 1 Ti . , 

I- .',T2 ,, , 32-1..,- -.,i.,T2 -- Ti, , , , 

V 2 , Ti . . ... . , T 2 

Last proposition is used in [1] to obtain new proofs of a number of conser- 
vation results. In what follows we use it to prove our main conservation result. 
First of all, we show that 32-closed models of C-BRA satisfy Ai-collection. 

Lemma 8. 2t ^ C BRA , , 32 1 - - - 1 

2t,-. Al,. . 1 . .1- 

2t hBifi 

^ ^ , (1) Let ip{x, y, v), ip{x, y, v) G Ag and a G 21 such that 

21 h 3y(fi{x,y,a) ^ \/yi;{x,y,a). 

Let 9{x,y,v) be the formula (p{x,y,v) V ~<ip{x,y,v). Then 2t ^ '9x3y9{x,y,a). 
By Lemma 6, there exist <^o and 0g quantifier-free formulas such that 



C-BRA h (1^0 (^) A ( 0 g 9). 
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Then 2t \= yx3y 9o{x,y,a) and, by Proposition 5 (recall that C-BRA supports 
definition by cases), there exist 6 S 21 and a term t{x,v,w) such that 21 ^ 
Vx 9q{x, t{x, a, b),a). As a consequence, %\=3y (p{x, y, a) ^ t{x, a, b),a). 

(2) By Lemma 6, the class of open formulas is closed in C-BRA under 
bounded quantification. Since C-BRA proves open induction, a standard ar- 
gument (see lemma 1.2.12 in [10]) shows that minimization scheme for open 
formulas holds in C-BRA. So, by (1), 2t |= LZ\i. But LZ\i < 1 =^ Bill (see [10] 
lemmas 1.2.16, 1.2.17), hence 21 \= BAi. □ 

Theorem 3. T . , , , ) II 2 - , , - - , lAg , C = 

7^(T)', 772 , , . , 6», , LAi(T) h 6» , C BRA h 6» 

, Since C-BRA is a universal theory, following [1], we prove that every 
32-closed model of C-BRA, 2t, is a model of LZ\i(T). Then the result follows 
by Proposition 6. In a first step we prove 21 ]= IZ\i(T). 

Let (p{x,y,i)),tp{x,y,v) € Aq such that T h 3y ip{x,y,v) yyip{x,y,v). We 
may assume that T h ip{x,yi,v) A (p{x,y 2 ,v) ^ J/i = 2/2 (if not, we take as 
(p the formula ip{x,y,v) A Vz < y^ip{x,z,v)). Let 9{x,y,v) G Aq the formula 
(f{x, y, v) V -'ipix, y, v). Then, 

T h Va;32/ {9{x,y,v) A Vz < y ^9{x, z,v)). 

Since T is a sound theory, the formula 9{x, y,if) A\/z < y ^9{x, z, v) defines a 
p.t.c.f. of T, say /. Then Af ^ \/y {(p{x,y,v) ^ y < f{x,v)). Now, we continue 
the proof as in [1], theorem 4.1. 

Let 21 be an 32-closed model of C-BRA and <^o an open formula equivalent 
to {p in C-BRA. Let us see that 21 \= Iay<^o- Assume that, for some a G 21, 

h ^y‘Po{0,y,a) A^x {3y(po{x,y,a) 3y (po{x + l,y,a)). 

Then, as in [1], since C-BRA supports definition by cases, by Proposition 5, 
there exist 6, c G 2t and a function symbol g{x, y, v, w) such that 

21 h 750 ( 0 , c, a) A Vx, y {p>q{x, y, a) (Pq{x + 1, g{x, y, a, &), a)). 

Let us denote by g the function defined by g in Af. Let ho ■ ^ w be 

defined in Af by 

h (-r- n, r, F , z , V , w) , if ipo{x + 1 , g{x , z , V , w) , 

fio[x, y, z, v,w)- otherwise. 

Then ho G . Let fo be the function defined by primitive recursion as follows: 
fo{0,y,v,w) = y, fo{x + l,y,v,w) = ho{x,yJo{x,y,v,w),v,w). 

Then fo{x,y,v,w) < f{x,y,v,w) = f{x -f I,-?) -f y. So, fo G , since it 
is defined by /'-bounded recursion and /' G C. Let fg be the function symbol 
corresponding to /g. Then 21 satisfies that 

<pg(0, fg(0,c, a,5),a) A Vx ((pg(cc, fg(a;, c, a, 6), a) ^ ipo{x + l,fg(x-|- 1, c, a, &), a)). 
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Since 2t satisfies open induction, 21 |= Vx fo(a;, c, a, &), a). Hence, it fol- 
lows that 21 1= \/x3inp{x,y,d). So, 21 \= lZ\i (T) . 

Let us see that 2t |= LZ\i(T). We distinguish two cases: 

1. If 21 ^ T then, since T is il2-axiomatized, by Proposition 4, 21 |= lUi. 

2. If 21 1= T, then, by Lemma 8, 2t |= T -|- B27i; hence, 21 |= LZ\i(T). □ 

As a consequence, we get some results relating S'" and CnVTZ. The notion of 
Z\o-generativeness provides a necessary and sufficient condition for S'" = CC\VTZ. 

Theorem 4. C , Z\q , ' i , - 

'P7^ n c z\o , , . , . 

rnrccs^ = g ^(^7^ ^ 

, C , u . , , , , , , , , S^ = E('P7^nC) 

, By Theorem 1, there is a sound extension of lL\o, T, such that 7^(T) = C. 

(1) Since C n VTZ = 7^(T V ILfi), by Theorem 1, C n VTZ is Z\o-generated. 

(2) By Corollary 1, VTZnC C 7^(IZ\i(T)). Moreover, by Theorem 3 and Lemma 

7, 7^(IZ\l(T)) C fC; so, iP7^ n C C fC. It is trivial that g ^(C C VU). 

Now, let us see that S^ = It is enough to prove that S^ C gCnvn^ 

We proceed by induction on the definition oi f € S'". The critical step is the 
definition by C-bounded recursion. But, let us observe that if f G S'" is defined 
by C-bounded recursion, then / is bounded by a function G C and by a 
function 52 G 'PT^ (in fact, / G VTZ). We prove that in this case / is bounded by 
a function /i G C C VTZ. 

Let 'tpi{x,y, z), 'tp 2 {x,y, z) G Z\o such that 3z'ipi{x,y, z) and 3zip2{x,y, z) 
define gi and 32 in T and ISi, respectively. Let 0o(x,u) G L\o be the formula 

f ('i/’i(x, (u)o, (u)i) V t/^2(x, (u)o, (u)i)) A 
\ Vu < u(^ipi(x, (v)o, (v)i) A ~^ 1 p 2 (x, (v)o, (v)l)). 

Then 3z 0o(x, (y, z}) defines in T V 1271 a function h such that for all 
a G LU, h{a) = gi{a) or h{a) = 32(a)- So, h G 7^(T V I27i) = C n VTZ and, 
since / < 31 and / < 32, we have f < h. 

(3) Since C is closed under /i<, each function in C is bounded by a nondecreasing 

function also in C. By induction on the construction of / G S'^'’^'^'" , it is proved 
that each element of S'" (= S'^'^'^'") is bounded by an element of VTZ n C. So, 
gCnVTZ jg closed under bounded recursion. Hence, (3) follows from part (2). □ 
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^ ^ , (2) (1): By Theorem 4, C n VTZ is Z\o-generated; so, (1) holds. 

(1) (2): Let iFg be the class of all functions in having a Zlg-definable 

graph. Then = C(lFo). By the proof of part (3) of Theorem 4, each function 
in is bounded by a function in C. Since is a rudimentary F-algebra, by 
Lemma 1, IFq C C and, as a consequence, = C(lFo) C C n VTZ. On the other 
hand, by Theorem 4, C n VTZ C . This proves (2). □ 

Corollary 2. , . n. , 

£‘^ . - Aq . I , / . 

= 52 

, , - - , lAo, T, , . f2^7^(T) 

Now we give a characterization of 7^(lZ\i(T)) in terms of C-bounded recur- 
sion. 

Theorem 6. T , , , , . , . . , IAq + exp , C = TZ(T) , C 

7^(IZ\l(T)) = 7^(LZ\l(T)) =£^ =CnVTZ. 

, Without loss of generality we can assume that T is II 2 axiomatized. 
First we prove the result for T satisfying ISi =4> T. Then C = C n VTZ. By 
Proposition 4, LZ\i(T) lZ\i(T) T; hence, T-}-LZ\i(T) <1=^ LZ\i(T). By 
Lemmas, T + LZ\i(T) ^ T + B*Z\i(T), so 7^(LZ\l(T)) = 7^(T + B*Zli(T)). 
In [9] (see remark 2.8), it is proved that T -h B*Z\i(T) <1=^ [T,T'i-CR] (the 
closure of T under unnested applications of Fli -collection rule). Therefore, by 
corollary 5.6 in [2], since T h exp we get 

7^(LZ\l(T)) = 7^([T, 2fi-CR]) = E(C). 

By Theorem 4-(3), = E(C n VTZ); so, 7?.(LZ\i(T)) = 5^, since C = C n VTZ. 

As a consequence, is Ag-generated and, by Theorem 5, S'" = C. Now the 

result follows from the chain of inclusions below: 

7^(LAl(T)) =£^ =CC 7^(IAl(T)) C 7^(LAl(T)). 

Let us prove the general case. Let be the theory lAi V T. By Lemma 5, 
7^(T'^) = 7^(T) n TZ(lEi). Since lAi == 1 > lAg -|- exp, by previous case 

7^(LAl(T^)) = ^ 7^(T^), and by Theorem 4, ^ gCnvn ^ gC ^ 

So, S^ is Ag-generated and, by Theorem 5, S'" = C H VTZ. By Theorem 3, 

7^(LAl(T)) CS^=er\VTZ^ 7^(IAl(T)) C 7^(LAl(T)). 

This concludes the proof of the theorem. □ 

The hypothesis on C in Theorem 6, namely, C is closed under /i<, is equivalent 
to the existence of a theory T' such that C = TZ(T) and T' extends LAi(T'). 
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Below we discuss if this hypothesis can be weakened. This is related to the prob- 
lem on the equivalence between UlZ\i and BA'j". Here, denotes parameter 

free A'l-collection (see [9] for a deeper background on these theories). 

First of all, let us observe that the hypothesis cannot be omitted. In [3] 
Beklemishev obtains / G £1'^ (C VTZ) such that C = U {/}) is not closed 
under bounded recursion. Let T be the theory given by lZ\o + exp-|- “/ is total”. 
Then 7^(T) = C and, since ISi => T, as in the first part of the proof of Theorem 
6, 7^(LZ\l(T)) = E(C). So, C = C n ■P7^ 7 ^ 7^(LZ\l(T)). 

A suitable hypothesis on C to be used in Theorems 5 and 6 instead of the 
closure under bounded minimization is the following one: 

(IC) There exists a theory T such that C = 7^(T) and T has Z\i-induction. 

Observe that if Theorem 5 holds under hypothesis (IC), so does Theorem 6. 
Next lemma allows us to avoid using Theorem 4-(3) in the proof of Theorem 6. 

Lemma 9. T , , . . II 2 - - , . - , IZio + exp 

C = 7^(T) , ¥.{€) = C{C\J£^) 

^ ^ , By the first part of the proof of Theorem 6, E(C) = 7^(T + LZ\i(T)). Let 
Tc be the theory obtained by extending C-BRA as follows: 

For each formula ip{x,y) G Aq such that T h \/x3y (p(x,y), we add a new 
symbol function and take as an axiom the formula 

f^(x) = y ^ (p{x,y) AVz < y^(p{x,z). 

Since each Z\o-formula is equivalent in C-BRA to an open formula, Tc is a 
universal theory and supports definition by cases. Then, by a standard Herbrand 
analysis we get that TZ{Tc) = C(C U f^). 

Moreover, every 32-closed model of is a model of T -|- BAi, since it is a 
32-closed model of C-BRA (Lemma 8). So, as in Theorem 3, we get that for 
each formula 9 G II 2 , 

T -h BSi h 6» =A Tc b 6». 

Since T h exp, then E(C) = 7^(T + BAl) C 7^(Tc) = C^CUS^^) C E(C). □ 

We conclude studying the equivalence between UlZ\i and BA’)". 

Proposition 7. , , , , (IC) 

T, . . II 2 . ~ - - , , , , . - - , Th/ji (A/”) 3-exp , T . . Ai , . . , 

, T , . LAi(T) 

^ ^ As noticed in the proof of Lemma 9, TZ{T + LZ\i(T)) = E(C). Moreover, 
by Lemma 9, E(C) = C(C U and by Theorem 6, = 7?.(IZ\i(T)). So, 

E(C) = C(C U C 7^(T -3 IAi(T)) C 7^(T 3- LZ\i(T)) = E(C). 

Therefore, TZ{T) = TZ(T + LZ\i(T)), since T has Z\i-induction. By Lemma 4, 
T + LZ\i(T) is II 2 axiomatizable. Hence, by Proposition 1, T 3=^ T 3- LZ\i(T) 
(recall that T extends Th/ 7 j(A/’)). In particular, T LZ\i(T). □ 
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Theorem 7 . , (IC) 

BTf + Th77i (Af) + exp < 1 =^ UIZ\i + Th^i (Af) + exp. 

^ ^ It is known that UlZ\i; so, we only prove that 

UIZ\i + Thyjj (Af) + exp => + Thni (Af) + exp. 

Let 2t 1= UIZ\i+Th/7j (A/")+exp and T = Th/j^ (21). Then it is easy to check that 
T has Z\i~induction and extends Th77j(A/’) +exp. By Proposition 7 , T extends 
LZ\i(T). As a consequence, T extends B*Z\i(T), since LZ\i(T) B*Z\i(T). 
From this it follows that 21 BS^ (see remark 2.5.3 in [9]). □ 
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Abstract. We present two, quite different, logical characterizations of 
the computational complexity class PSPACE on unordered, finite re- 
lational structures. The first of these, the closure of second-order logic 
under the formation of partial fixed points is well-known in the folklore 
but does not seem to be in the literature. The second, the closure of 
first-order logic under taking partial fixed points and under an operator 
for nondeterministic choice, is novel. We also present syntactic normal 
forms for the two logics and compare the second with other choice-based 
fixed-point logics found in the literature. 

Keywords. Finite model theory, descriptive complexity, choice opera- 
tors, partial fixed points. 



1 Introduction 

Fixed-point extensions of first-order logic have played a central role in descriptive 
complexity theory: on ordered structures, FO(IFP) captures P [Imm86, Var82], 
FO(PFP) captures PSPACE [AV89] and extensions of first-order logic with 
transitive closure operators, which can be seen as fragments of FO(IFP), capture 
L and NL [Imm87]. All of these characterizations depend on the structures 
being ordered: without the ordering, none of these logics can define even simple 
counting queries. 

The requirement for an ordering is unsatisfactory as it allows queries such 
as, ‘there is an edge from the first vertex of the graph to the second,’ which is 
as much a property of the ordering as it is of the graph. Restricting to formulae 
that give the same result for any ordering does not help as the ‘order-invariant’ 
fragment of each of the logics mentioned above is undecidable. 

One alternative to requiring ordered structures is to move to second-order 
logic, SO, where the ordering relation can be quantified into existence. This does 
not seem to help with capturing P or PSPACE, as even the existential fragment 
of SO already captures NP [Fag74] and SO itself only captures the polynomial 
hierarchy [Sto76]. Here, we show that the combination of second-order quantifica- 
tion and partial fixed points captures PSPACE. This characterization appears 
in the folklore but there does not seem to be a proof in the literature. 
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Another alternative is to use a choice operator. Several such mechanisms 
have appeared in the literature — see, for example, [BGOO, DR03, GH98]. Of 
these, the most general is Blass and Gurevich’s 6 operator, which forms terms 
6x(p with the semantics, ‘choose an x that satisfies (/?.’ Ghoice and ordering are 
closely related: given an ordering, choice can be simulated by taking the least 
element with a property; given choice and iteration, an ordering can be built up 
by choosing an element to be first and iterating to extend the ordering until it 
includes every element. Formulae with choice are nondeterministic: the meaning 
of a formula may depend on which choices are taken during its evaluation, though 
the set of possible answers depends only on the formula and the structure on 
which it is evaluated. We investigate FO(PFP,^), the combination of partial 
fixed-point logic with choice, to obtain our second characterization of PSPACE 
on unordered structures. We also provide normal forms for this logic and for 
second-order logic with partial fixed-points. 

All structures in this paper are finite and all vocabularies are finite and purely 
relational, though constant symbols are omitted for notational convenience only. 
We write |2l| for the universe of structure 2t and ||2t|| for the size of |2t|. 

2 Partial Fixed Points 

In this section, we give a brief introduction to partial fixed-point logics, which 
were originally introduced by Abiteboul and Vianu [AV89] ; see also [EF99] . Par- 
tial fixed points are of particular interest in descriptive complexity. 

Theorem 1 ([AV89]). FO(PFP) , PSPACE,, -■ 

Let S' be a set and let / be a map V{S) P(S). A fixed point of / is some 
s C S such that /(s) = s. Consider the sequence of stages ( s* )i^o> where = 0 
and = /(s*). If this sequence eventually becomes stationary, i.e., if there is 
an n such that s* = s” for all i > n, set pfp f = . Clearly, there is no reason to 

suppose that a general map / will have a fixed point at all, let alone one that can 
be reached by an iteration like this. If the sequence does not eventually become 
stationary, set pfp / = 0. We shall refer to pfp / as the ^ , of /» 

even though there is no guarantee that it really is a fixed point. 

Let T be a logic and let be an T-formula with a distinguished r-ary relation 
symbol X, in which we consider the variables Xi . . . Xr to be free. On a structure 
21, we may associate with ip a map : P(|2l|’’) — > P(|2l|’') with /®(A) = 
{ a : (21, a)\= p}. £(PFP) is the closure of £ under the rule that, if (/? is a formula, 
X is an r-ary relation symbol and i is an r-tuple of terms, ^ = (pfpx xr v){t) 
is a formula. Within the expression pfpx x Vi fh® variables in x are bound. If a 
is an interpretation for the free variables in <P, we write (21, a) N ^ if, and only 
if, ( ti(d) . . . tr(a) ) € pfp /^, where £(a) denotes the value of the term ti under 
given interpretation for the free variables. 

Theorem 2. FO(PFP) , , , , . 

^l/(pfPx,x‘P)(y---y)- p€FO 
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We can also define simultaneous partial fixed points. For z G let fi be 

a map x • • • x S”'*’ ^ S”"* and define the sequence of stages 

If there is an n such that for all i > n, we set pfp (/i, . . . , /fc) = ii”; 

otherwise, it is 0 as before. We denote by £(S-PFP) the closure of the logic £ 
under simultaneous partial fixed points. Allowing such simultaneous definitions 
does not increase the power of reasonable logics, i.e., logics that are regular in 
the sense of Ebbinghaus [Ebb85]. In particular, this result applies to SO(PFP) 
and we shall see in Section 5 that it also goes through for partial fixed points 
of first-order formulae with choice. Proof is by coding a tuple of relations into 
a single relation of increased arity; this relation will reach a fixed point if, and 
only if, all of its component relations do. 

Theorem 3. £ . ^ ^ T(PFP) = £{S PFP) , , , , 

, - , , . $ = ^y{pipx,ui:£)iy---y) 

3 Second-Order Logic and Partial Fixed Points 

We now consider SO(PFP), the closure of second-order logic under the partial 
fixed-point operator. The following result appears as an exercise in [EF99] and 
is well-known in the folklore but there seems to be no proof in the literature. 

Theorem 4. SO(PFP) ^ PSPACE ^ ^ , 

^ ^ , (PSPACE SO(PFP)) By Theorem 1, FO(PFP) captures PSPACE 
on ordered structures. It follows that any PSPACE property of unordered struc- 
tures is defined by a sentence of the form 3R (0 A (^) , where i? is a new binary 
relation symbol, 0 asserts that R is interpreted by a linear order and is a 
formula of FO(PFP). 

(SO(PFP) ^ PSPACE) By induction on the structure of formulae. FO < L 
and the case of the partial fixed-point operator is standard (see, e.g., [EF99]). The 
only remaining case is 3Rip. Assuming inductively that we have a polynomial- 
space algorithm for cp, we can determine whether 21 1= 3Rip by checking in turn 
for each interpretation X of R, whether (21, A) N (p. Interpretations for R can 
be written down in at most ||2l||"^^^ bits. □ 

Corollary 5. G SO(PFP)[(j] ^ ^ = ^R^y (P^Px,x £) 

(y---y). R , , . , ' - , 

„ 2t G STRUG [fj], 

We cannot drop the requirement that R be at least binary in Corollary 5: 
the result fails for any monadic existential second-order quantifier prefix. 
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Theorem 6. , ,, , , ,, SO(PFP) , 3i?i. . . (pfpj^ ^ i^) 

{y---y). G FO , _ Ri ^ ■ , , , 

, We use Fagin’s game for the existential fragment of monadic second- 
order logic [Fag75]. Fix n and k and let N = fc2”. Let 21 = [1,N] and 25 = 
[1, 3- 1]. Player I chooses Rf, . . . , R^ C |2t|. Let c(a, 21) = {i : a G Rf }. By 

the pigeon-hole principle, there must be at least one colour k C [l,n] such 
that III a : c(a, 21) = k}|| ^ k. Player II sets the Rf so that, for j G [1,IV], 
c(j, $) = c(j, 2t) and c{N -|- 1, IB) = k. 

Player II now wins the fc-pebble Ehrenfeucht-Frai'sse game on (21, Rf , . . . , Rf) 
and (25, i?® . . . , i?®). The only difference between the structures is that the 
latter has an extra element but Player I can never expose this difference as 
both structures have at least k nodes of that colour. It follows that no formula 
3i?i . . . 3i?„ ip, where (p G (the finite-variable fragment of infinitary first- 
order logic), defines the class of sets of even cardinality. The result follows as 
any formula of FO(PFP) is equivalent to one of [KV92]. □ 

An alternative characterization of PSPACE by an extension of second-order 
logic is given by Harel and Peleg [HP84]. Second-order formulae formulae with 
free relation variables can be seen as defining ‘super-relations’, i.e., relations on 
relations (the relation sets of the next section are a special case of this). Harel 
and Peleg show that PSPACE is captured by second-order logic equipped with 
an operator for forming transitive closures of super-relations. 



4 Nondeterministic Choice 

We now consider first-order logic with choice. Blass and Gurevich introduce 
two choice operators, 6 and 6', in [BGOO], forming terms 6xp with the effect 
of choosing an x that satisfies p. The choices made by Hilbert’s better-known e 
choice operator [HB39] (also discussed by Blass and Gurevich) are deterministic, 
defined by a choice function / such that choosing from a set S will always give 
element f{S); in contrast, 6 and 6' are , , , - . , , • choosing twice from 

the same set is not guaranteed to give the same result. 

Definition 7. ct . , ~ FO(^)[cr] , ^ ^ 

^ ^ r FO[ct] / . . ‘•P , U ■ > i - ^ i 

. , , 6xp ^ 

Ghoosing an x that satisfies p invites the question of what to do when there 
is no such x in some structure 21. In this case, 6xp evaluates to some ‘default 
element’ of |2l|. To define the semantics of formulae on ordinary structures, 
which do not have default elements, we borrow the behaviour of the 6' operator 
in [BGOO], namely that choosing from the empty set is the same as choosing 
from the whole universe, while retaining the unbiased choice of 6. This operator 
is mentioned in [BGOO] but not given a name: for simplicity of notation, we call 
it 6 and will not again refer to the operator that requires default elements. 
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Blass and Gurevich give a three- valued semantics to the logic. Following our 
treatment of logics with choice in [DR03], we give a different semantics, in which 
formulae denote sets of relations, each the result of taking different choices. The 
semantics of terms and formulae are defined by mutual recursion; a term denotes 
a set of functions from the values of variables to the value of the term. 

Definition 8. , . , , , - ■ , , ' , • ' 

{xif^ = { Xx.Xi } 

\8xi = [J { Ax. a : a G 7Ti(x, R) }, 
flelvF 

t: i{x , R) = { a x[a / Xi] & R} , , ^ ^ , , , , ■ ' - / - 1^1- ; , 

Ih = t 2 l® = { { a : /i(a) = / 2 (a) } : /i G {uf- } 

. . . t„)f = { { a : ( A(a) . . . /„(a) ) G } : /. G pif } 

\ ^ : 5 G bf } 

\p A V'l® = { S'! n S '2 : S'! G M®, S 2 G } 

pXi = { { a : a[a/a*] G S',, ,,, a}:SGp]®} 

Our semantics is subtly different from that of Blass and Gurevich, in which 
a term denotes a function from the values of variables to the set of possible 
values of the term and a formula denotes a ‘nondeterministic relation’. An or- 
dinary relation can be seen as a function from tuples to truth values, with 
R = {a f{a) = true }; a nondeterministic relation can be seen as a function 
from tuples to non-empty sets of truth values. Intuitively, if /(a) = { true }, 
a G i? for all evaluations; if /(a) = { true, false }, a G i? for some evaluations and 
not for others; and, if /(a) = {false}, a ^ R for all evaluations. 

The difference in semantics of terms (set of functions versus set- valued func- 
tion) is insignificant and is for notational convenience only. The change from 
a three-valued semantics to a semantics based on sets of relations gives much 
greater flexibility: in particular, the three- valued semantics can be recovered from 
it by associating with a set of relations R the nondeterministic relation corre- 
sponding the function / given by true G /(a) a G IJ i? and false G /(a) 
a ^ f]R. We showed in [DR03] a close correspondence between the relation-set 
semantics of fixed-point logics with choice and the computation paths of nonde- 
terministic Turing machines, which, we feel, makes our semantics better suited 
to descriptive complexity. Further, note that the semantics of ifp in FO(IFP, 8) 
is defined in [BGOO] by using a relation set as an intermediate stage, from which 
a three- valued relation is produced. 

Definition 9. 1 ^ G FO(^) , FO-approximable , 

‘Pu , - <7’n , 
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FO-approximability corresponds to the FO-definability of ranges in [BGOO] . 
The following lemma and its two corollaries appear there, for Blass and Gure- 
vich’s semantics; though our presentation and proofs are rather different as we 
are working in a relational, rather than functional, setting. Lemma 13 is new. All 
results in this section carry through to the extension of by ^-terms. 

Lemma 10. . ip G FO(^) ^ FO ^ , 

^ ^ , By induction on the structure of p. 

{R{ti . • . . .y„ A R{y)) 

{R{ti...tn))r, =^yi---yn{il\0i) ^ R{y)), 

ie[l,n] 

where the yi are variables that do not occur in any of the ti and 6i = [pi [yi /x] V 
yx^Pi)^ if ti = 6xpi, and 9i = yi = v if ti = v. 

(^'f)u = ^ ‘/’n (^'F)n = ^ 7’u 

{p Atp)^ = Pa Atpu {p Atp)^ = pn Aipn 
(3xp)^ = 3xpa (3xp)^ = 3xpn □ 

A related choice operator is Abiteboul and Vianu’s witness operator, W (see, 
e.g., [ASV90]). W is a much more powerful choice operator than 6: it can be 
used to simulate existential second-order quantification and, hence, capture NP 
without the need for fixed-points. 

Corollary 11. ' . / 7’ G FO(^) ^ 

^ ■ II' ^y 4’- V’ , II- 

^ ^ , It is immediate from Definition 8 that = 1^2/V’ul^- n 

We call a formula . , if, on every structure, it defines a single 

relation, i.e., |||(p]^|| = 1 for every finite structure 21 of appropriate vocabulary. 
Glearly, if p is deterministic, \p\'^ = { Pa} = {Vn}- 

Corollary 12. ^ . _ ■ , , FO(^) ^ ^ , , 

This is in contrast with FO(e), where the corresponding notion to determin- 
ism is £T : a formula is £-invariant if defines the same query irrespective 

of which choice function is used. Otto shows that there are formulae of FO(e) 
that are ^-invariant over the class of finite structures but not equivalent to any 
first-order formula [OttOO], though any formula that is £-invariant on the class 
of arbitrary structures is equivalent to some first-order formula [BGOO] . 

While the deterministic fragment of FO(^) has the same expressive power 
as ordinary first-order logic, it is not a decidable fragment. On the other hand, 
the syntax of first-order logic is clearly decidable so we can consider FO as a 
recursive syntax for deterministic FO(5). 
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Lemma 13. ^ ■ > , FO(^)[cr] _ ■ , , , , - 

• ' ‘ i i II I ' I - I ' ' I I I '■ I ' 

^ ^ , Let V' be a sentence of FO[cr] and let (p(x) = A x = 6y {y = y) . ip 
is deterministic if, and only if, ip is valid. However, by Trakhtenbrot’s Theorem 
[Tra50], the set of valid first-order formulae over a vocabulary containing a re- 
lation symbol of arity at least two is undecidable. □ 

5 Partial Fixed Points with Choice 

We now turn our attention to the combination of FO(5) with partial fixed- 
points. To do this, we must redefine the partial fixed-point operator to take 
nondeterministic formulae as arguments. 

Definition 14. 21. , , . : 'P(|2ir) ^ lF(lF(|2ir))\{ 0}, 

' ; ■ ^ ' I I I I 1^1 1 ; / / ■ ' / 11 '^ ' ' 

|2t| T/ . , , ' “ ‘ 

, 0 

~ ! !->■»- S , S' S' € F'^(S) 

P={P')^^o . . ' . , , r® , . , ylP = P" , n , , , , , 

P' = P'' ,, n ^ ^ AP = fb , , , , , n pfpF® = 

\ap-.p, .,^ . \ , , r/} 

Each path in the tree can be seen as a sequence of choices taken in evaluating 
the argument: this viewpoint is useful when informally describing the semantics 
of a formula. 

I , , Let X be a binary relation symbol and F be the map defined by 

ip{X , xy) = X (xy) V [(3u^X{uu)) A {y = 6u^X{uu)) A (^x = y \/ X (xx))] . 

When evaluated on a structure 2t, pfp F defines the set of linear orders of 
|2t|. Consider a single path in Tp-. at each stage, if there are elements that do not 
yet appear in the ordering, one is nondeterministically chosen and becomes the 
new greatest element. The fixed point is reached when all elements are ordered. 

Although the pfp operator is defined in terms of infinite paths in infinite trees, 
pfp F is determined by a finite portion of the tree, as shown by the following 
lemma. 

Lemma 16. F® , ^ ^ ^ , P . . < . , , 

Fp n - ! > ■ >> - {R")i^o [ - \ n = 2(l®ll’' P™ = i?™+i G pfpF® 

^ ^ , m < n ^ 0 G pfp F® 

^ ^ , Suppose F™ = for some m < n. Tp must contain a path Q labelled 

( BP, . . . , F™, F™, F™, . . . ), with AQ = F™. (Of course, we may have F™ = 0.) 

Conversely, suppose F™ yf for all m < n. By the pigeon-hole principle, 

F* = F-1 for some i < j ^ n + 1. It follows that Tp contains a path Q' labelled 
( F°, . • • , RP R'^\ ■ • ■ , RP R'^\ ■■■), with AQ' = 0. □ 
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Definition 17 . , FO(PFP, ^)[cr] , 

FO(^)[a] ‘ ‘ ~ “ 

FO(^) , 

I(pfPjf,yV3)(^l--- ^r)l® = 

{ { a : (/i(a) . . . /,(o ) ) e R} : R e pfpF«, /, G }. 

We do not describe FO(PFP, 6) as a logic: in our view, a logic consists of 
both a set of formulae and a satisfaction relation that connects formulae with 
the structures in which they are true. For . . , , formulae, i.e., those 

that define a single relation, the satisfaction relation is obvious: we may write 
(21, a) 1= (p if, and only if, a G R, where = {i?}. In general, though, 

formulae are not restricted to defining singleton sets of relations and there are 
many possible definitions of satisfaction for such formulae. For the time being, 
we shall consider formulae just in terms of defining nondeterministic queries and 
defer the consideration of satisfaction relations until Section 5.2. 

In common with FO(PFP), we can allow parameterized definitions without 
increasing the expressive power of the logic. Let ^ = (pfpj^ ^ <^)(t ), where the 
free variables of (p are among xz. = { {ba : b G R} : R G }. 

Theorem 18 . . , , , , - pfp , , , ' , , , , , 

^ ^ , Let <P = (pfpx x‘P){i)j where (p has free variables xz and none of the 
variables in z appears bound in p. For any 2t of appropriate vocabulary, = 
Kpfpz. 22 p*)(tz)\'^, where Z is a new relation symbol of arity \xz\ and p* is the 
result of replacing every subformula X{u) in p with Z{uz). □ 

We can also define simultaneous fixed points, much as in the deterministic 
case. Again, this does not increase expressive power. 

Definition 19 . 21 . . , f G [l,n], , if® . 

, i^(i2tr^)x---xi^(i2tr~) - >(^(i2ir^))\{0} 

n , (0, ... ,0) 

- , ^ - R = {Ri,...,Rn) ^ - S. S&Ff{R)x 

■■■xF^{R) 

p = {Ry >0 , , , , ^ ^^,...,F„ , - . AP = Ry , n ^ 

, R^ = R"' . ,, i ^ n - AP = 0 . n 

p{p{Fy‘...,F^) = {AP:P [ , ‘ 

Theorem 20. ^ G FO(PFP,5) ^ ^ ^ . > , , , 

, . = ‘ 

, , $=3y{p{px^^p){y...y) 
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The proof is omitted as it is largely standard: the simultaneously-defined 
relations are coded into a single relation of greater arity. We do not include 
simultaneous definitions in the formal definition of the syntax and, when we 
write simultaneous inductions, they should be treated as an abbreviation for the 
equivalent simple induction. 

A second consequence of the theorem is that we may, from this point, assume 
that the ti in any formula (pfpx $ ‘P){i) are variables and not Aterms. 

5.1 Normal Forms 

Say that a formula of FO(PFP, is ^ ^ . if, for all of its subformulae 

(pfpjf g <^)(y), every path in leads to a fixed point, for every structure 21 of 
appropriate vocabulary. That is, for every path P = {W )i^o in there is an 
n such that i?* = i?" for all i ^ n. 

Theorem 21. . FO(PFP,^) ^ ^ , , , , , , 



^ ^ , Let = (pfpx X v){y)j with ar(A) = r. Let P = {R^ be a path in 
. By Lemma 16, if i?* = for some i ^ then contains a path 

P' with AP' = i?*; if not, the tree contains a path P' with AP' = 0. 

We simulate ^ on a structure 21 with a totally-defined formula which 
simulates ^ for n = stages. If, during that time, two successive stages have 
the same value, every subsequent stage of the simulation will also have that 
value; if not, then all stages after the nth will have value 0. A new r-ary relation 
Y will be used to remember the value of X from the previous stage. 

To perform the simulation, we first build up a linear order of |2t| in a new 
binary relation We shall abuse notation slightly and use the symbol ^ to 
stand for the lexicographic ordering that ^ induces on r-tuples as this induced 
ordering is FO-definable from Using this linear order, we can treat an r-ary 
relation C as an ||2l||’’-bit binary number: let o{a) = ||{ 5 : 6 < a }|| and associate 
C with the number Given a relation C, the relation C such that 

n(C') = n{C) + 1 (mod 2ll2‘H'') is defined by the first-order formula 

6'succ(S) = C{x) ^3y{y<xA ^C'(y)). 

That is, the least unset bit becomes set, all bits below that become unset 
and all remaining bits are unaffected. (A similar technique for cycling through 
all possible relations with a partial fixed point is used in [Daw98].) 

$ = pfPx ‘Pc){y) ■ 

We have seen how to construct linear orders in Example 15. 

ifxix) = (Vyy < y) A (X = Y ^ 0 7 X(x) : 3y^C{y) A (p{x)), 

where a ? /3 : 7 abbreviates (a A /3) V {^a A 7). The first conjunct ensures that 
the linear order has been constructed before the fixed point is simulated. Once 
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that has been done, if the simulation has reached a non-empty fixed point X, 
all subsequent stages will maintain that fixed point; otherwise, the next stage is 
simulated, as long as the counter relation has not yet filled up. If the counter 
relation is full, the simulation is complete — if no non-empty fixed point has 
been reached, no tuples satisfy ipx, as required. 

The counter relation C is defined by: 

vc{x) = (Vyy < y) A (yyC{y) 7 xi = xi : 9sncc{x)). 

Once the linear order has been constructed, this formula causes n{C) to be 
incremented once per stage until its maximal value is reached. □ 

Our first normal form shows that, in common with most fixed-point logics, 
every formula is equivalent to (in the sense of defining the same nondeterministic 
query as) a formula containing just one instance of the fixed-point operator. Call 
a tuple . , ^ ^ , if all its elements are equal. 

Theorem 22. <P G FO(PFP, (5)[cr] ^ (pfpj^ i^) (y . . . y) , 

(fi G FO(5), , 1^1® = ,, ,, 21 G STRUC[(t] 

^ ^ ) By induction on the structure of All relevant subformulae 

will inductively be assumed to be of the form <Pi = 3y (pfpjf. ^ ■ ■ - y)- 

Further, by Theorem 21 , we may assume that is totally defined. We give the 
formula ^ as a simultaneous induction; this is equivalent to a formula of the 
required form by Theorem 20 . 

= R{ti . . . tn)) We may assume that each ti is of the form 6x <Pi, where 
has the properties given in the previous paragraph: the term v is equivalent to 
6x (pfpjf. X = v), where Xi is a new nullary relation symbol. (The fixed-point 
expression evaluates to true if, and only if, x and v are equal so the meaning of 
the term is ‘choose an x that is equal to v’.) We may further assume that each <l>i 
takes a; as a parameter so, by Theorems 18 and 20 , <l>i = 3y (pfpx, xVi){v ■ ■ ■ IJx), 
which we may assume to be totally defined by the previous theorem. 

simulates the <l>i until each has reached its fixed point, simulates the eval- 
uation of the terms ti and asks whether the resulting tuple a appears in R. This 
is straightforward with a simultaneous induction; we omit the details. 

{(p = Let A be a new nullary relation symbol. 

^ = PfPA,Xi.iE(^3i/ Xi(i/ . . . y),ipi). 

Since P>i is totally defined, X\ will eventually reach a fixed point. If that fixed 
point contains no diagonal tuples, A (and, hence, P) will be true at all future 
stages; otherwise, it will be false at all future stages, as required. Since A and X\ 
have both reached fixed points, the simultaneous induction has reached a fixed 
point and we are done. The cases of conjunction and existential quantification 
are similar. 
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{<P = (pfpjf j (m) ) To simulate a single stage of <P, we simulate until it 
reaches a fixed point. We then set X to be the set of interpretations for x (the 
variables in which are treated as parameters to ^i) that result in the presence 
of a diagonal tuple in the fixed point of At the next stage of the simulation, 
Xi is reset to be empty and the simulation is repeated until X reaches a fixed 
point, which we may assume it does by Theorem 21. ^ will be true if, and only 
if, this fixed point includes the tuple u. We omit the details. □ 

The second normal form. Theorem 23, shows that, in addition to only requir- 
ing one occurrence of the pfp operator in any formula, it suffices to make only 
one choice at each stage of the construction of the fixed point. For the proof, 
we code relations . . . , into a single relation R of arity n -I- 1 -I- r, where 
r = max { ri , . . . , }, such that 

{ai . . . a^) G Ri {bi ■ . ■ bn+iai . . . Ur) G R for some a^+i . . .Qr 

and bi = ■ ■ ■ = bi = ai ^ &i+i = • • • = . 



Each tuple in R is prefixed by a labd whose equality type indicates the coded 
relation to which it belongs. We write Ri{x) for the first-order formula that says 
that the tuple x is an element of the relation Ri coded in R and Li{x) for the 
formula that says that x has the correct label to code an element of Ri. This 
requires structures to have at least two elements but the result applies to all 
structures as there are only finitely many single-element structures of any given 
vocabulary, which can be treated a special cases. 

Theorem 23. ^ G FO(PFP, ^ ^ ^ ^ = 

3y{Y>ipx,i,^d{{d = 6xO/\0){y-.-y). e',CGFO,, ‘ I^f = [<?>f 

,, „%G STRUG [cr] 

^ ^ , By the previous theorem and Theorem 18, we may assume that d> = 
(pfpjf g i^)(y . . . y), where (f G FO(^). We may further assume d> is totally 
defined and that every Aterm in ip occurs in a formula v = 6x 9 as any formula 
R{ti . . .tr) is equivalent to 3ui . . .Vr {R{v) A vi = ti A ... A Vr = tr) ■ 

Define T{p), the ^ ^ i of recursively on the structure of the formula, 
as follows, writing — for the empty tree and [L, t, r] for a node labelled L with 
left and right subtrees ^ and r, respectively. 



T{R{xp . ..Xi^)) 

T{xi = Xj) 
T{xi = 6xj p) 

Thv) 

T{pAip) 
T{3xi p) 



[R{xp ...XiJ,-,-] 

[Xi Xj , , ] 

[xi = 6xj,T{p),~] 
b,T{p),-] 
[A,T(<^),T(V^)] 
\3xi,T{p),-\. 



Let Ni, . . . , Ns be a full enumeration of the nodes of T{p) such that, for 
i < j, Ni is never in a subtree rooted at Nj. We use this enumeration of the 
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nodes of T{(f) to evaluate (/? over several stages of a fixed point. Each of these 
stages will require at most one choice to be made. 

Let D and Di , . . . , Dg be new nullary relation symbols and Ri ... Rg he new 
fc-ary relation symbols, where k = ar(AT). Let u be a (2s + 2)-ary tuple of new 
variables and E be a new relation symbol of arity 2s + 2 + fc. Y will store the 
standard coding of X, D, Di, . . . ,Dg and Ri , . . . , Rg. 

Simulation of one stage of <P will take s+1 stages. Initially, all the Di are false. 
The formulae represented by Ng, . . . , Ni are evaluated in turn, with the relations 
they define stored in Xg, . . . , ATi. As each Xi is evaluated, the corresponding Di 
is set to true. D will be set to true once the fixed point has been reached in order 
to ensure that the simulation also reaches a fixed point. The fixed point has been 
reached when Xi has been evaluated and contains exactly the same tuples as X 
{Xi holds the evaluation of (/?). At this point, if X contains a diagonal tuple, lpa 
adds all diagonal tuples to Y, so ^ will be true, as required. 

To get the desired normal form, we must perform the coding ‘by hand’ rather 
than by appealing to Theorem 20. ^ = 3y (pfpy^^^ ‘P*){y ■ ■ - v), where 

ip*{ux) = 3d [(d = 6xip) A [i^a ' d ‘Pd ^ <fx 'd \J {di A Pi))] 

ie[i,s] 

and 9i says that D = false and that Dj = false for j ^ i and true for j > i, i.e., 
that the simulation is not yet over and Ni is the next node to be evaluated. 

Pd{ux) = Ld{ux) a D\ f\ X = X\ 

Pa{ux) = {D A ddiag {ux) AY{ux))y [3ux po {ux) A ddiag {ux) A3y X{y . . .y)) 
px{ux) = D\ A Lx{ux) A Xi{x) 

where 0diag('wa;) asserts that its argument is diagonal, pn sets D to true when 
the fixed point has been reached, i.e., when Di = true and Xi = X. The first 
disjunct of pA maintains any diagonal tuples in Y once D = true; the second 
adds diagonal tuples to Y if the fixed point has been reached (i.e., D will be 
true at the next iteration) and X contains diagonal tuples. If D\ = true (i.e., 
the evaluation of p is complete), px copies Xi to X. 

To understand the remaining subformulae, it is helpful to fix in one’s mind 
an interpretation for u and x. 

ip{uxx) = \J {9i A Xt{x[x/xn])), 
iei 

where I = {i : Ni = [xm = dXmNi,—] }. If the node of T{p) currently being 
evaluated is a choice node, ip defines the choice set, from which d is chosen. 

Pi{ux) = Loiiux) V (Lxiiux) Axt{x)), 

where Xi{x) depends on Ni. The difficult case is choice nodes: if Ni = [xm = 
6xn, Ni, — ], Xi{x) = Xm = dA3xm Xi{x). The other cases are reasonably obvious: 
for example, if Ni = [^,Ni, — ], Xi{x) = ~^Xi{x). □ 
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Every formula being equivalent to one with a single occurrence of the fixed- 
point operator, with only one choice taken per stage suggests a link with the 
fixed-point operators introduced by Gire and Hoang [GH98]. These operators 
perform inflationary (rather than partial) inductions about two formulae: one 
defines a ‘choice set’, from which a single tuple is chosen; the other uses this 
chosen tuple to define the tuples to be added to the relation under construction. 
In [DR03], we show that their logic IFPc, which we denote G-IFP, has the same 
expressive power as FO(IFP,5). From the previous theorem, we can see that a 
partial fixed-point logic in the style of G-IFP would define the same queries as the 
apparently more general FO(PFP, 6). We can also use the iteration provided by 
a fixed-point operator to simulate the more powerful W operator with repeated 
6 choices so FO(PFP,^) and FO(PFP,W) define the same queries. 

5.2 Expressive Power 

So far, we have considered FO(PFP, 6) only in terms of defining nondeterministic 
queries: we have not called it a logic as we have not presented a satisfaction 
relation. We first deal with the deterministic case. Recall that a formula (p is 
deterministic if, on all structures 21, it defines a single relation, i.e., = 1. 

In this case, satisfaction is easily defined to coincide with satisfaction of ordinary 
deterministic logics. Denote by FO(PFP, the FO(PFP, 6) formulae that are 
deterministic on the class of all finite structures of appropriate vocabulary and 
write (21, a) l=det if> and only if, d € R, where = { i? }. 

Theorem 24. FO(PFP,^)^gj , PSPACE , , - 

^ ^ , (FO(PFP, ^)det ^ PSPACE) Gonsider evaluating a formula pon a struc- 
ture 21. We may assume that p is totally defined and in the normal form of The- 
orem 22. Since p is deterministic, we need evaluate only one path through 
and, by Lemma 16, it suffices to evaluate that path to depth N = 2ll®H , where 
r is the arity of the relation constructed by the fixed-point operator. Gounting 
out the stages can be done with a |j2t||’’-bit binary counter, evaluating each stage 
requires choosing a fixed number of elements of |2l| and evaluating a first-order 
formula, which can be done in space 0(log |2l|). The total space requirement is, 
therefore, polynomial in ||2t||. 

(PSPACE ^ FO(PFP, 5)det) PSPACE query can be defined by a de- 
terministic FO(PFP, 6) formula by first defining a linear order and then simulat- 
ing an order-invariant FO(PFP) sentence on the resulting ordered structure. □ 

Notice that we do not describe FO(PFP, 5)^^^ as a logic as it does not have re- 
cursive syntax. The following theorem is similar to Theorem 28 of [DR03], though 
the restriction to vocabularies containing an at-least-binary relation symbol is 
lifted. The same techniques can be applied to remove the restriction there. 



Theorem 25. 



FO(PFP,5) ,, 
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^ ^ , The case where the vocabulary contains an at-least binary relation symbol 
is covered by Lemma 13. For the empty vocabulary, let A and E be new relation 
symbols of arity 0 and 2, respectively, and consider the sentence 

<f = PfPA,E,xy('</’,‘PE), 

where ip is some first-order sentence in vocabulary ( E ) and 

(fiE{xy) = E{xy) V [x = 6u {u = u) A x = 6v {v = v) A y = 6w {w = w)) 

At each stage of evaluating ip on a, structure 21, pE chooses three elements u, v 
and w. If u = v, the pair uw is added to E; otherwise E remains unchanged. If 
(21, E) \= Ip, A is set to true; otherwise, it remains false. Along every path in , 
E reaches some fixed point and, for any S C |2tp, there is a path in the tree where 
E reaches the fixed point S. true € \p\'^ if, and only if (2t, E)'e ip for some E and 
false G if, and only if, (2t, E)\f ip for some E. p is deterministic if, and only 
if. Ip or its complement is valid, so the undecidability of the set of deterministic 
FO(PFP,5) formulae follows from Trakhtenbrot’s Theorem [Tra50]. □ 

We now consider the satisfaction of nondeterministic formulae. 

Definition 26. ,, , , ,,FO(PFP,^)3 ,, ,,FO(PFP,5) 

(21, a) 1=3 , a G R,^ ^ ^ , R G 

Equivalently, (2t, a) N3 if, and only if, a G U FO(PFP,5)3 is our 
second characterization of PSPACE on unordered finite structures. 

Theorem 27. F0(PFP,^)3 , PSPACE 

^ ^ , (PSPACE ^ FO(PFP,5)^) Let G SO(PFP); by Corollary 5, we may 
assume <P = 3Ep, where E is a new binary relation symbol and p G FO(PFP). 
Let A be a new nullary relation symbol and let = pfpj^ E,xy{^jfE), where pE 
is as in the proof of the previous theorem. 

For every R C |2lp, there is a path in TA labelled ( A* E* )j^o such that, for 
all sufficiently large i, E"^ = R and A* is true if and only if (21, R) \= p. Therefore, 
21 N ^ if, and only if, if there is some interpretation of E that satisfies p, if, and 
only if, 21 1= as required. 

(FO(PFP, ^ PSPACE) <P G FO(PFP, can be evaluated using a non- 
deterministic Turing machine using polynomial space bounds. The fixed-point 
operator can be evaluated using standard techniques (see, e.g., [EF99]) and 6- 
terms can be evaluated using the nondeterminism of the machine. By Savitch’s 
Theorem [Sav70], NPSPACE = PSPACE and we are done. □ 

We could also consider the analogous FO(PFP, 6)y. It is easy to see that this 
has the same expressive power as the existential semantics, since nondetermin- 
istic space classes are closed under complementation [Imm88, Sze88]. 

An interesting feature of fixed-point logics with choice is that, in contrast 
to the conventional fixed-point logics, they do not embed into infinitary logics. 
Both FO(PFP, 6) and FO(IFP, 6) can express the parity query on pure sets but, 
since and has a 0-1 law [KV92], there is no formula of 

Ep^^{6) that expresses this query. 
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Abstract. We investigate the logical aspects of the partial A-calculus 
with equality, exploiting an equivalence between partial A-theories and 
partial cartesian closed categories (pcccs) established here. The partial 
A-calculus with equality provides a full-blown intuitionistic higher order 
logic, which in a precise sense turns out to be almost the logic of toposes, 
the distinctive feature of the latter being unique choice. We give a lin- 
guistic proof of the generalization of the fundamental theorem of toposes 
to pcccs with equality; type theoretically, one thus obtains that the par- 
tial A-calculus with equality encompasses a Martin-Lof-style dependent 
type theory. This work forms part of the semantical foundations for the 
higher order algebraic specification language HasCasl. 



Introduction 

Partial functions play an important role in modern algebraic specification, 
serving to model both non-termination and irregular termination; specifica- 
tion languages featuring partial functions include RSL [8] , SPECTRUM [3] , and 
Casl [2, 15]. The natural generalization of the simply typed A-calculus to par- 
tial functions is the partial A-calculus [13, 14, 18], which forms the basis for the 
recently introduced wide-spectrum language HasCasl [23,25]. HasCasl offers 
a setting for both specification and implementation of higher order functional 
programs; moreover, it has served as a background formalism for the develop- 
ment of monad-generic computational logics [22,24]. A central role in all this 
is played by the fact that the partial A-calculus , . induces a full in- 

tuitionistic higher order logic, corresponding to HasCasl’s internal logic [23]. 
Here, we investigate the character and expressivity of this logic more closely. 

The central tool for this investigation is an equivalence between partial A- 
theories with equality and , , , , - ' , , ( i ) equality 

proved here. One associates to each pccc a partial A-theory, its internal language, 
and conversely to each partial A-theory a classifying category; the two construc- 
tions are essentially mutually inverse. Thus, one can freely move back and forth 
between logical and categorical formulations and arguments. 

It turns out that in a hierarchy of categorical notions comprising in ascending 
order of strength locally cartesian closed categories, quasitoposes, and toposes, 
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pcccs with equality fit between locally cartesian closed categories and quasito- 
poses. In terms of logic, locally cartesian closed categories correspond to Martin- 
Lof style dependent type theory [27], and toposes to intuitionistic type theory 
with power types [11] (the precise logical counterpart of quasitoposes is, to our 
knowledge, open). In particular, this means that the partial A-calculus with 
equality encodes a dependent type theory; more precisely, one even has a partial 
version of dependent product types, which categorically relates to a novel notion 
of locally partial cartesian closed category. Moreover, we show that topos logic is 
characterized within the partial A-calculus by the axiom of unique choice; differ- 
ently put, topos logic can be recovered from the partial A-calculus with equality 
by giving up the distinction between functions and functional relations. 

Related work includes [13], where a semantics for the partial A-calculus in 
left exact pcccs is given, as well as [18], where a classifying category construction 
for the pure partial A-calculus is described, using however different categorical 
notions. A fuller exposition of some of the results presented here can be found 
in [19]. 



1 The Partial A-Calculus 

The partial A-calculus [13, 14, 18] is a typed higher-order formalism that ex- 
plicitly handles partial functions. It is formally similar to the simply typed A- 
calculus, the crucial difference being that function types are thought of as types 
of partial functions. This is reflected both in the semantics [13] and in the de- 
ductive system, which has to keep track of definedness of terms. 

We now give a brief definition of the syntax and deduction system of the 
partial A-calculus, with one modification in comparison to [13]: there are vari- 
ous types of equations between partial terms, two of the more common being 
I ^ ^ , equations, to be read ‘both sides are defined and equal, and ^ ^ ^ , 

equations, to be read ‘one side is defined iff the other is, and then the two sides 
are equal’. While the presentation in [13] is based on strong equations, we fo- 
cus mainly on existential equations, since these are slightly better suited for our 
categorical treatment, and give a correspondingly adapted deduction system; 
the expressivity of both types of equations is the same [13]. We will, moreover, 
for the purposes of this paper mostly be interested in theories that possess an 
equality predicate, which has the effect of transforming a simple A-calculus into 
a full-blown higher order logic. 

A , A ' consists of i , over a , .A signature is given 

by sets of basic ^ ^ and ^ ^ ^ symbols, where the latter (thought of as 

representing partial maps) consist of their ^ , and ^ , , written in the form 
f : s ^ t. Here, t is a . and s = (si, . . . , s„) is a, , . , i.e. a list of types 

(the bar notation is used to indicate lists of items throughout) . Types are freely 
generated from the basic sorts by closing them under the formation of , 
, . written 



s 



t 
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with s and t as above (one cannot resort to currying for multi-argument partial 
functions [13]). Following [13], we assume application operators (s -e-^- t)s ^ t 
in the signature, so that application does not require extra typing or deduc- 
tion rules. We use the notation s — e-4 t to denote the multi-type with compo- 
nents s -6-4 ti (which is the same as a function type into the product of the 

U)- 

Given a signature, typed , ^ and , , , ^ , i.e. lists a = («i, . . . , «„) 

of terms, in a context F = {x : s) = {x\ : si, . . . , : s„) of distinct variables Xi 

with assigned types Si are formed according to the typing rules 

r 0 a : t 

X : s in r f : t ^ u F, y : t > a : u 

F 0 X : s Fof{a):u F > \y \t.a \t u' 

where the judgement F \> a \t is read ‘(multi-)term a has (multi-)type t in con- 
text F’; here, typing judgements for multi-terms are just collections of typing 
judgements for the constituent terms. The higher order application operator is 
denoted by juxtaposition, while term formation using operators from the sig- 
nature is written, as above, with brackets. Where convenient, terms will be 
regarded as singleton multi-terms, similarly for types. For convenience, we re- 
gard the empty multi-type and the empty multi-term also as a type and a term 
denoted by 1 and by *, respectively. 

An I ^ ^ ^ ^ between two terms in context F is written F t> a = (i 

or a = j3, to be understood as indicated above. Equations between multi-terms 
are regarded as sets of equations between terms; the union of such sets is denoted 
by A, and the empty set of equations by T. Equations of the form a = a just state 
that a is defined; they are abbreviated as def a (and e.g. def (a, (}) codes the same 
set of equations as def a A def /3) . An i ^ ^ 

in context F is a sentence of the form F c> def a ^ tp, where d is a multi-term 
and Ip is an existential equation in context F. The axioms of a partial A-theory 
are given as eces. 

The deduction system for the partial A-calculus is shown in Figure 1. De- 
duction takes place over a fixed context F and in a theory with the set A of 
axioms. We write F i> def a\~ (p ii &n equation p can be deduced from def a in 
context F by means of these rules; in this case, F t> def p is & ^ 

Subderivations are also denoted in the form A > def a h p, where the context A 
and the assumption def a are to be understood as extending the ambient con- 
text and assumptions. Strong equations A> a = are used as abbreviations for 
subderivations A > def a h def (3 and A t> def j3\- a = j3. 

The usual forms of the l3- and Ty-rules can be derived by means of the substi- 
tution rule. Rule (^) implies that all A-terms are defined. 

A, ^ between two signatures is a pair of maps for sorts and operators, 

respectively, that is compatible with operator profiles. A between par- 

tial A-theories is a signature morphism which transforms axioms into theorems. 
Partial A-theories and translations form a category pATh. 
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Fig. 1. Deduction rules for existential equality in context F 



We introduce an important shorthand notation: for (multi-)terms a, /3, we 
have ^ ^ ^ ^ ^ [5, 14] 

a \ P := (Ax, y. x)(d, /3) 

denoting a with its domain restricted to the common domain of a and p. A first 
use of conditioned terms is A-abstraction of multi-terms: \y : i.a denotes the 
multi-term with components Xy : t. ai f d. 

The partial A-calculus automatically comes with a rudimentary logic: we can 
regard 17 = 1 -e^- 1 as a type of truth values, s -e^- 1 as the type of predicates 
on s, and (partial) terms 0 : 1 as formulas. For such p, we will shortly write p in 
place of def p, and we can turn definedness assertions into formulas by observing 
that for any term a, def a is, in this notation, equivalent to (Ax. *) a. In the way 
of connectives, however, one generally does not have more than conjunction and 
truth, expressed e.g. via p A q = (Ax, y : 1. *){p, q) and T = *. 

The picture changes completely in the presence of an equality predicate: 

Definition 1. A partial A-theory ^ ' if there exists, for each type s, a 

(defined) closed term eqs : ss -e^- 1 (i.e. a binary predicate on s) such that 

X, y : s > eqs (x,y) ^ x = y and x : s > eqs (x, x) 

(See also [6,13].) Note that the axioms for eqs are eces. When there is no 
danger of confusion, we shall write a = P in place of eq (a,P). Equality gives 
rise to a full-fledged intuitionistic logic, along much the same lines as in [6, 11]: 
letting p and q range over (partial) terms of type 1, we can put 
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p=> q--= ((A.p) = X.pAq), 

Vy : t.p := {{Xy : Ip) = Xy : t.T), 

_L := Va : 17. a *, 

-np:=p^ _L, 

pV q :=ya : H. {{p ^ a*) A {q ^ a*)) ^ a*, and 
3y : t.p := Va : 17. (Vy : t.p ^ a*) ^ a*, 

where we omit unused variables of type 1 from A-abstractions (note that all right 
hand sides are partial terms of type 1). The usual deduction rules of intuitionistic 
higher order logic are obtained as lemmas. The main topic of this paper is the 
closer investigation of this logic. 

2 Partial Cartesian Closed Categories 

We now give a brief outline of the categorical setting for the semantics, and 
indeed the syntax, of the partial A-calculus. 

Given a category whose morphisms are thought of as total functions, partial 
functions A ^ B correspond to , , ^ , ■ , > spans (to, /) of the form 




TO 

where to is a monomorphism of a restricted class M. representing the domain 
of definition, taken modulo isomorphism in the obvious sense. The composite of 
{m, f) and a partial morphism {n,g) from B to C is defined as gf*), 

where 

/■^W| 

is a pullback. In order for this to be possible, we have to require a few closure 
properties of M: 

Definition 2. A class of monomorphisms in a category C is called a . , 

[18] if it contains all identities and is closed under composition and pullbacks, 
i.e. pullbacks of Al-morphisms (along arbitrary morphisms) exist and are in A4. 
A . , ^ ^ ^ ^ is a pair (C,A1), where At is a dominion on C; an . 

. , subobject is an element of At. A functor between dominional categories 
is called . , ^ ^ ^ , if it preserves admissible subobjects and their pullbacks. An 
equivalence functor between dominional categories is called a . ^ ^ ^ ^ , 

, ^ if it preserves and reflects admissible subobjects; it is then automatically 
a dominional functor. 
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A dominion A4 is closed under intersections. If m is a monomorphism 
and mg G M., then g G Ai. In particular, A4 contains all isomorphisms. 
For a dominional category (C,AI), the partial morphisms form a category 
P(C, Ad), which contains C as a (non-full) subcategory [17, 18]. 

As usual, we call a category (functor, subcategory) ^ ^ if it has (pre- 

serves, is closed under) finite products; the terminal object is denoted by 1. In a 
cartesian dominional category (C, Ad), Ad is closed under products (but not un- 
der pairing) . Cartesian dominional categories are equivalent to first order partial 
equational theories [20]. 

Definition 3. A cartesian dominional category (C,Ad) if Ad con- 

tains all diagonals A ^ A x A. 

If (C,Ad) has equality, then C has equalizers (hence is finitely complete, 
shortly: left exact or , i ), and Ad contains all regular monomorphisms and is 
closed under pairing. 

The semantics of the partial A-calculus has been given in terms of a class of 
dominional categories called partial cartesian closed categories (pcccs) [13]. The 
crucial feature of a pccc is that it admits the interpretation of partial function 
types as , , ^ ^ ^ ^ ^ A -e-s- B, which are defined by the property that 

partial morphisms from C x A to B are in bijective correspondence with total 
morphisms C ^ (A —e-^ B). More formally. 

Definition 4. A cartesian dominional category (C, Ad) is called a ^ 

^ /, I - ' I ' f J composite functor 

c ^ c c— P(C, Ad) 
has a right adjoint for each object A in C. 

(This definition is weaker than the one given in [13] in that we do not require 
left exactness.) Every lex pccc is cartesian closed [6]. 

Partial function spaces A — e-4 B in a pccc come with a co-universal partial 

, , , • I I • from (A — e-4 B) x A to B. Explicitly, every partial mor- 

phism / from C X A to B factors uniquely as ew o (/ x A) in P(C, Ad) by a total 
morphism / : C ^ (A -e-^ B) called its . ^ ^ ^ . 

For a pccc (C,Ad), the embedding C »— > P(C, Ad) is left adjoint, being iso- 
morphic to _x 1. Spelling this out yields that Ad-partial morphisms in (C, Ad) are 
representable [1, 18], with the partial morphisms into A represented by 1 — e-^- A. 
In particular, 17 = 1 -e-4 1 classifies Ad-subobjects. By consequence, . , 

, Ad , , , 

Of particular interest is the case that the pccc (C, Ad) has equality. In this 
case. Ad = RegMono(C), so that we can ^ i&ct, pcccs 

with equality can be succinctly characterized as cartesian closed categories with 
representable regular partial morphisms in which regular monos are stable under 
composition; a further characterization will be given in Section 5. In particular, 
every quasi-topos is a pccc with equality (but not conversely [1]). A typical ex- 
ample of a pccc without equality is the category of epos and continuous functions 
with Scott open sets [26] as admissible subobjects. 
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Definition 5. A cartesian dominional functor between two pcccs is called 
, J if it preserves partial function spaces. This defines the 

category PCCC of pcccs. 

Remark 6. There is a large number of axiomatizations of categories where par- 
tial morphisms are directly treated as arrows. Essentially, these axiomatizations 
characterize full subcategories of P(C, At) for some cartesian dominional cate- 
gory (C, At) or, in the higher order case equivalently, of Kleisli categories aris- 
ing from representations of partial morphisms, i.e. from the adjunction between 
(C,At) and P(C,At) for some (C, At) [4,6, 17]. In these approaches, categories 
of the form P(C,At) are typically distinguished by a splitting condition for 
subfunctions of the identity which ensures that domains of partial functions are 
actually objects. For the purposes of this paper, as well as the (logically pos- 
terior) paper on Henkin models [21], it appears to be more convenient to work 
directly with the underlying dominional categories. In particular, this makes the 
relation of pcccs with toposes and locally cartesian closed categories more im- 
mediate; moreover, certain categorical techniques such as in particular the use 
of representable functors (which plays a crucial role in [21]) are more directly 
available. 

3 The Internal Language and Its Interpretation 

We now establish an equivalence between partial A-theories with equality and 
pcccs with equality, proceeding as follows: we associate to each pccc (C, At) an 
^ ' L(C, At), thus obtaining a functor 

L : PCCC pATh. 

In this process, we will introduce an interpretation of L(C,A4) in (C,A4), 
for which we prove a soundness theorem. We will then construct classifying 
categories for partial A-theories with equality, i.e. free objects w.r.t. the functor 
L. It will turn out that every pccc with equality is equivalent to the classifying 
category of its internal language, and that the internal logic of the classifying 
category of a partial A-theory is a conservative extension, so that pcccs with 
equality are essentially the same as partial A-theories with equality. 

To begin, we associate a signature A7 to a pccc (C,AI). The sorts in S are 
the objects of C. An interpretation |_] in C for types and multi-types is defined 
recursively in the obvious way using products and partial function spaces. The 
operators of profile s ^ t in A7 are the partial morphisms from |s] to |t] in 
(C,A4), with evaluation morphisms (cf. Section 2) as application operators. 

The interpretation |_] is then extended to contexts, terms, multi-terms, and 
definedness conditions: for a context F = {x : s), |r] = |s]. Given a term or 
multi-term F t> a : i, we define a partial morphism denoted 



1^1 



^ IF. defd] 



[r.al 
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by recursion over the term structure: variables are interpreted as (total) prod- 
uct projections, and operator application as composition of partial morphisms. 
Multi-terms are modelled by intersecting the domains of the components and 
tupling the resulting restrictions. Finally, [F. \y : u. /3] is defined as the abstrac- 
tion of |F, y : u.(}\ (cf. Section 2). We will denote any existing domain-codomain 
restrictions of |F. d] to subobjects of |F] and |t|, respectively, by |F. d] as well. 
This interpretation leads to a notion of satisfaction in C: 

Definition 7. An ece Fi>def d /3i = /?2 in A ^ in (C, At) if |F. def d] 
is contained in |F. def(/3i, /32)1 and the restrictions of the |F. /3j] to |F. def d] 
coincide. 

The definition of L(C, M) is completed by taking the eces that hold in (C, M.) 
as the axioms of L(C, At). The theory L(C, At) has equality iff (C,At) does. 
The deduction system of Figure 1 is sound for this interpretation: 

Theorems (Soundness). ,, ^ - L(C,At) ^ (C,At) 

The proof hinges on the following lemma: 

Lemma 9 (Substitution). F > a : t A\>f3:u , , , 

L(C,At), A={y:t) , [F. d] , ‘ , ,, [F. def(;9[d/y], d)l 4 

I^- def;91 , , , - - ^ . 




4 Classifying Categories 

Thanks to the internal logic, the effort required for the construction of a classify- 
ing category for a partial A-theory with equality is essentially no greater than in 
the first order case as carried out in [20]: in that case, objects of the classifying 
category are pairs (F. (f>) consisting of a context F and a definedness assertion (p 
in that context. This construction can be copied literally for partial A-theories 
with equality; the point is that partial function spaces (F. (p) -e-^ {A. ip) may 
safely be regarded as subobjects of the partial function space F -e^- A, so that 
no additional objects are required to obtain partial cartesian closedness. 

In general, given a partial A-theory T, we construct a^ ^ ^ ^ f Sy(T) 

as follows: the objects are definedness-assertions-in-context (F. p) as indicated 
above (i.e. p = def/3 for some multiterm 0). Morphisms {F.p) (A.p), where 

r = {x : s) and A = {y : i), are multi-terms F t> a : t such that 



Ft>p\- ip[a/y] A def a, 
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taken modulo equality deducible from cj). The identity on (T. (j)) is x; compo- 
sition is substitution. A subobject is admissible (regular) in Sy(T) iff it has a 
representative of the form 



X : {r. (j)) ^ {r. \jj). 

It is shown as in the first order case [20] that Sy(T) is a cartesian dominional 
category, with products given by concatenation of contexts and conjunction of 
definedness assertions, 1 = (()), and the pullback of {F.cf)) {r.ip) along a 
morphism a : (A.y) ^ (A. i/') being (Z\.y A 4>[a/x\). 

Theorem 10. , T ^ ^ Sy(T) ^ 

^ ^ , Recall the logic defined using equality as described in Section 1. Given 
objects {r.(j)) and {A.xp) as above, and z : s-o^i (cf. Section 1), let dc{z,x) 
abbreviate the formula 



(def zi x def Z 2 x) A . . . A (def ZmX ^ def z\ x) 

ensuring that all components of z have the same domain of definition, and write 
z(x) for (zi(x), . . . ,Zm(x)). Then the object 



^z : s -6H- 1. Vx. dc{z, x) A ( def z x {(J) Atp[zx 



is the partial function space (T. <j)) — e-4 (Z\. ^), with z(x) as evaluation map. □ 
A translation o \ T\ ^ T 2 between partial A-theories induces a functor 



Sy(cr) : Sy(Ti) ^ Sy(T 2 ) 

which, in the case with equality, preserves the pccc structure since this structure 
has the syntactical description given above. 

We will now show that Sy(T) is, for T with equality, free over T w.r.t. L. 
The corresponding unit is the translation 

: r ^ L(Sy(T)) 

that maps a sort s to (x : s) and an operator f : s ^ tto the operator in L(Sy(T)) 

given by the partial morphism (x : s) -< — ^ (x : s. def /(x)) ► {x : t). By the 

soundness theorem (for L(Sy(T))), r] ^ ^ ^ ^ 

Given a pccc (C, Ad), the co-unit 

i^(c,AT) :Sy(L(C,M))^(C,M) 

of the adjunction maps an object (T. (p) in Sy(L(C)) to |T. pj and a morphism 
a : {r. (j>) {A. tp) to the composite 

|r. ^1 |T. ip[a/y] A def d] |Z\. ipj 
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of the inclusion provided by soundness theorem and the restriction of d] 
according to the substitution lemma. Using the soundness theorem and the sub- 
stitution lemma, it is shown that this defines a dominional , ^ .In par- 

ticular, Sy(L(C, At)) is a pccc, and E(^c,m) is a pcc functor. 

This is all we need in order to prove 

Theorem 11. , T ^ ^ Sy(T) ^ ^ T ^ ^ ^ ^ 

, ' , ^ l(c,ai), ‘ (C,M) , ‘ 

, L(CT#)r/r, cr# : Sy(T) ^ (C,M) 

Here, ‘essentially’ means that is unique up to a unique natural isomor- 
phism. Thus, Sy(T) is determined up to equivalence by this property. 

, The uniqueness statement is clear. To prove existence, just note that 

:= E(^c^m) ° Sy(CT) has the required properties. □ 

This theorem justifies calling Sy(T) the ' of T, denoted 

from now on by CI(T). (For partial A-theories without equality, Sy(T) and CI(T) 
will in general be different.) Since if(c,») is an equivalence, the category of pc- 
ccs with equality is essentially (i.e. up to 2-dimensional equivalence) the Kleisli 
category of the (2-) adjunct ion Cl H L. The objects of this category are the partial 
A-theories with equality; the morphisms from Tj to 72 are the translations from 
7i to L(CI(72)). These morphisms are naturally generalized translations: sorts 
are mapped to ‘types’, i.e. domains of multi-terms, and symbols are mapped 
to multi-terms (all partial morphisms in Sy(72) may be written in the form 
{r. (p) -« — ^ (r. def a) — ^ •); moreover, two morphisms of this kind are identi- 
fied if they map all symbols to strongly equal multi-terms. We have established 
that 

, , , , A , , 

Remark 12. Without equality, the construction of the classifying category be- 
comes more complex, since it is no longer possible to define partial function 
spaces {r. <p) -6-4 (Z\. ip) as subspaces of E -e-4 A. (The obvious idea of using the 
Yoneda extension is probably not the right one, for reasons laid out in [19].) 
In [19], this problem is solved by moving to an extended theory with equality 
and a dominance [18]; the classifying category of the original theory is then 
obtained as a subcategory of the classifying category of the extended theory, 
the latter being constructed as above. This establishes an equivalence between 
partial A-theories and pcccs. 

5 Unique Choice 

We now proceed with the investigation of the higher order logic induced by a 
partial A-theory with equality, exploiting the equivalence result proved above. In 
particular, we make use of the fact that every pccc C with equality is equivalent 
to CI(L(C)); in fact, in the following we shall not distinguish between these two 
categories at all. 




The Logic of the Partial A-Calculus with Equality 



395 



It is at first sight slightly puzzling that pcccs with equality are equivalent 
to intuitionistic HOL, although the latter is more commonly associated with 
toposes; see e.g. [11], where in fact toposes are constructed from type theories 
that can be translated into the partial A-calculus with equality. We stress that 
pcccs with equality are substantially weaker than even quasitoposes [1], which 
in turn are way more general than toposes — e.g., there are many non-trivial 
quasitoposes in topology [28], while the only topos which is at the same time a 
topological category over Set is Set itself. It turns out that the crucial point 
here is unique choice. 

For the remainder of this section, let C be a pccc with equality. It can be 
shown that a morphism in C is a monomorphism (epimorphism) iff the obvious 
internal formula expressing injectivity (surjectivity) holds in C. In particular, 
given a morphism f : A B, its factorization through the subobject 

(6 :B.3a: A. f{a) = b) 

of B is an (Epi, Regular Mono)-factorization, i.e. (Epi, Regular Mono) is a 
factorization structure on C (thus, C automatically satisfies condition 19.1.1. 
in [28]). Hence, all extremal monomorphisms in C are regular; thus, we obtain 
a further characterization of pcccs with equality as , , , - ' , , 

. , I , , , , ^ ^ ^ . In particular, quasitoposes are 

precisely the finitely cocomplete pcccs with equality. 

For each object H in C, we have a type 

, , (H) := {x : A -e-4 1.3!a : A.xa) 

of singleton subsets (predicates) of A. A morphism ^ ^ : A ^ , (A) is given by 
the term {a : A) > \b : A. b = a. 

Proposition 13. A , , , ^ i 

Or A 

( ) ' , ^ 

^ ^ ^ I R: RA^ 1, B , C, .. , , 

(Vx : B,y,z: A. R {x, y) A R{x, z) ^ y = z) 

{3f : B A.\/x : B,y : A. f X = y AA R{x, y)) 

( ) , A , , , . 

An object that satisfies the equivalent conditions in the above proposition 
is called ^ ^ , following [16] and [28], where Conditions (i) and (iii) are used. 

Condition (ii) is often referred to as ^ ^ (although it is usually for- 

mulated in terms of total functions) . An inverse / of ^ ^ can be regarded as a 
partial morphism from A — e^- 1 to A. Thus, we can define the 
, , by 

M : A.(f) := f{Xa : A. tp) 
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for a formula </> in context a : A — i.e. la : A. <f> is the unique element of A 
satisfying <f>, if such an element indeed exists uniquely, and is otherwise undefined. 

An immediate consequence of the above proposition is that we can axiomatize 
toposes in the partial A-calculus: 

Theorem 14. > 1 1 •' t ' ' t ' t • > ^ ^ / 

Thus, the initial question of what class of categories intuitionistic HOL really 
corresponds to may the resolved as follows: 



In the construction of the classifying topos given in [11], unique choice is 
implicit in that morphisms functional relations; in the same way, one can 
construct a topos from C (i.e. from a partial A-theory with equality). An alter- 
native way of obtaining an equivalent topos is the following observation. 

Theorem 15. , , Ind(C) ^ 

c f ‘ ‘ \ ,^‘a 

Ind(C) , , , > C , , , , , , , , 

C E , V Ind(C) 

(The first clause of this theorem slightly generalizes results of [16,28].) In 
particular, Ind(C) contains Q and all objects of the form. . (A), since for these 
objects, the unique choice function can actually be written as a term. Ind(C) is 
equivalent to the topos of functional relations over C because ^ ^ becomes an 
isomorphism when regarded as a functional relation. 

An important consequence of Theorem 14 is that results obtained using the 
interplay of partial A-theories and pcccs apply also to toposes. This includes 
in particular the equivalence result for Henkin models of pcccs [21], which in 
its thus obtained specialized form states that, given a topos E, models (logical 
morphisms) of E in toposes are essentially equivalent to Henkin models of E, 
i.e. lex functors E ^ Set. 

Remark 16. A further point regarding the relationship of these results to [11] 
that requires clarification is the following. In loc. cit., it is claimed (correctly) that 
the extension of a type theory to the internal language of its classifying topos, 
constructed as the topos of functional relations, is conservative. The type theory 
used in loc. cit. can be regarded as a sublanguage of the partial A-calculus with 
internal equality; the fact that the latter does not prove unique choice, which 
however holds in all toposes, appears at first sight to contradict the mentioned 
conservativity result. However, this is resolved by noting that the type theory 
of [11] (like most other versions of topos logic including the original Mitchell- 
Benabou language [12]) in fact cannot . ^ ^ unique choice, since it does not 

have actual function types. In other words, the logic of pcccs with internal 
equality differs from topos logic in that it takes functions rather than subsets as 
the primitive notion and then distinguishes between ‘maps’ (functional relations) 
and ‘morphisms’ (functions). 
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6 Dependent Types 

An important aspect of toposes is that they admit a Martin-L6f style dependent 
type theory; categorically, this means that every topos E is ,,r 
, - [9,27], i.e. every slice E/A is cartesian closed — this is the non-trivial 

part of the, ^ ^ ^ [10]- K is known that this theorem 

holds also for quasitoposes [16,28], and a proof that the statement generalizes 
to pcccs with equality can be extracted from [28]. This implies that the partial 
A-calculus with equality already includes dependent type theory, in particular 
has dependent product types. We now give a simple linguistic proof of the funda- 
mental theorem; moreover, we present a novel notion of locally partial cartesian 
closed category. 

The intuition behind the correspondence between local cartesian closedness 
and dependent types is the following. Let C be locally cartesian closed. A type 
C depending on a variable y : B is regarded as a . ^ , i.e. a morphism g : 

C ^ B, with C{y) being the fibre of g over y. Dependent sum types are then 
defined simply by composition: if the type B = B{x) depends on a variable 
X : A, i.e. is a bundle f : B ^ A, then ^ y : B{x).C{y) = X[/5 is just the 
composite fg : C ^ A. Dependent product types, on the other hand, arise 
by exponentiation in the slice category. The point here is that local cartesian 
closedness is equivalent to the existence of right adjoints Ilf for all pullback 
functors f* : C/A ^ C/B, / : i? ^ A [7]. Intuitively, for types B{x), D{x) 
depending on cc : A, i.e. bundles f : B ^ A, h : D ^ A, the fibre over x : A 
of the function space f ^ h in C/A is the function space B{x) D{x). For 
g : C ^ B and f : B ^ A as above, the fibre over a; : A of Ily : B. C{y) = II fg 
is the subspace of sections of q in the fibre of f ^ fq; this fibre may be thought 
of as B{x) ■ B{x).C{y). 

The mentioned characterization of local cartesian closedness can be general- 
ized to the partial setting: for an object A in a dominional category (C, M), the 
Al-carried morphisms form a dominion on C/A, also denoted M. For f : B ^ A, 
h : D ^ A, the morphisms / ^ ft, in P(C/A, A4) are, i commutative triangles, 
i.e. partial morphisms k : B ^ D such that hk = f holds ^ ^ ^ ^ , k. 

Theorem and Definition 17. (C,A1) , i . , , 

(C/A,M) , ,, , A 

f* : C/A ^ C/B P{C/ B,M) 

r , nP f :B^A ^ , , , (C,M) , 

,, . locally partial cartesian closed 

The elements of Il^g are , sections of y, i.e. partial functions ft such 
that gh = id on the domain of ft. In particular, partial function spaces A — e-s- B 
in (C, A4) may be recovered as II^x : A. B. 

In this terminology, the fundamental theorem reads as follows. 



Theorem 18. 
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As mentioned above, a categorical proof can essentially be found in [28] . The 
equivalence result of Section 4 allows a simple and transparent linguistic proof: 

^ ^ , Let C be a pccc with equality. The partial function space / -e-4 g for two 
objects f : B ^ A, g : C ^ A of C/A, expressed in CI(L(C)), is 

{x : A,y ■. B -e^- C. Vz : B. def y z ^ (/(•^) = x A g{y z) = x)) □ 

Conclusions and Future Work 

We have identified the logic of the partial A-calculus with equality as the internal 
logic of partial cartesian closed categories (pcccs) with equality. Building on this 
result, we have clarified the relationship of this logic with various other higher 
order logics that have categorical counterparts. In particular, a partial A-theory 
with equality is the internal language of a topos iff it satisfies the unique choice 
axiom, and the partial A-calculus with equality encodes a dependent type theory 
with partial dependent products — a known generalization of the fundamental 
theorem of toposes to pcccs with equality [16, 28], for which we give a transparent 
linguistic proof. An open problem that remains is to find, somewhere between 
topos logic and the partial A-calculus, the precise internal logic of quasitoposes. 

This work forms part of the semantical foundations of HasCasl. The equiv- 
alence of pcccs and partial A-theories is needed to prove the equivalence between 
the semantics of the partial A-calculus in pcccs on the one hand and a Henkin- 
style set-theoretic model theory on the other hand [21]. The relevance of unique 
choice, universally or for certain types, has become apparent e.g. in [22]. The im- 
plications of the fact that dependent types are encodable in the partial A-calculus 
w.r.t. the specification methodology of HasCasl are under investigation. 
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Abstract. Security properties are profitably expressed using notions of contex- 
tual equivalence, and logical relations are a powerful proof technique to establish 
contextual equivalence in typed lambda calculi, see e.g. Sumii and Pierce’s log- 
ical relation for a cryptographic lambda-calculus. We clarify Sumii and Pierce’s 
approach, showing that the right tool is prelogical relations, or lax logical rela- 
tions in general: relations should be lax at encryption types, notably. To explore 
the difficult aspect of fresh name creation, we use Moggi’s monadic lambda- 
calculus with constants for cryptographic primitives, and Stark’s name creation 
monad. We define logical relations which are lax at encryption and function types 
but strict (non-lax) at various other types, and show that they are sound and com- 
plete for contextual equivalence at all types. 

Keywords: Logical relations. Monads, Cryptographic lambda-calculus. 
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1 Introduction 

There are nowadays many existing models for cryptographic protocol verification. The 
most well-known are perhaps the Dolev-Yao model (after [7], see [6] for a survey) and 
the spi-calculus of [1]. A lesser known model was introduced by Sumii and Pierce [18], 
the cryptographic lambda-calculus. This has certain advantages; notably, higher-order 
behaviors are naturally taken into account, which is ignored in other models (although, 
at the moment, higher order is not perceived as a needed feature in cryptographic proto- 
cols). Better, second-order terms naturally encode asymmetric encryption. It may also 
be appealing to consider that proving security properties in the cryptographic lambda- 
calculus can be achieved through the use of well-crafted logical relations, a tool that has 
been used many times with considerable success in the A-calculus: see [12, Chapter 8], 
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for numerous examples. Sumii and Pierce [18] in particular define three logical relations 
that can be used to establish contextual equivalence, hence prove security properties, but 
completeness remains open. 

Our contributions are twofold: first, we clarify the import of Sumii and Pierce as far 
as the behavior of logical relations on encryption types is concerned, and simplify it to 
the point that we reduce it to prelogical relations [10] and more generally to lax logical 
relations [16]; while standard recourses to the latter were usually required because of 
arrow types, here we require the logical relations to be lax at encryption types. Second, 
we prove various completeness results: two terms are contextually equivalent if and 
only if they are related by some lax logical relation. This holds at all types, not just 
first-order types as in previous works. An added bonus of using lax logical relations is 
that they extend directly to more complex models of encryption, where cryptographic 
primitives may obey algebraic laws. Proofs omitted in the sequel are to be found in the 
full version of this paper, available as a technical report [9]. 

Outline. We survey related work in Section 2. We focus on the approach of Sumii and 
Pierce, in which they define several rather complex logical relations as sound criteria 
of contextual equivalence. We take a new look at this approach in Section 3 and Sec- 
tion 4, and gradually deconstruct their work to the point where we show the power of 
prelogical relations in action. This is shown in the absence of fresh name creation, for 
added clarity. We tackle the difficult issue of names in Section 5, using Moggi’s elegant 
computational A-calculus framework with Stark’s name creation monad. 



2 Related Work 

Logical relations have often been used to prove various properties of typed lambda 
calculi. We are interested here in using logical relations or variants thereof as sound 
criteria for establishing contextual equivalence of two programs. This is instrumental in 
defining security properties. As noticed in [1, 18], a datum M of type r is secret in some 
term t{M) of type r' if and only if no intruder can say anything about M just by looking 
at t{M), i.e., if and only if t{M) t{M') for any two M and M' , where denotes 

contextual equivalence at type t'. We are using A-calculus notions here, following [18], 
but the idea of using contextual equivalence to define security properties was pioneered 
by Abadi and Gordon [1], where both secrecy and authentication are investigated. 

We shall define precisely what we mean by contextual equivalence in a calculus 
without names (Section 3.2), then with names (Section 5.3). Both notions are standard, 
the latter being inspired by [15], only adapted to Moggi’s computational A-calculus 
[14]. In [15] and some other places, this kind of equivalence, which states that two 
values (or terms) a and a' are equivalent provided every context of type bool must 
give identical results on a and on a', is called observational equivalence. We stress 
that this should not be confused with observational equivalence as it is defined for data 
refinement [12], where models are related, not values in the same model as here. 

The main point in passing from contextual equivalence to logical relations is to 
avoid the universal quantification over contexts in the former. But there are two kinds 
of technical difficulties one must face in defining logical relations for cryptographic A- 
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calculi. The first, and hardest one, is fresh name creation. The second is dealing with 
encryption and decryption. We shall see that the latter has an elegant solution in terms 
of prelogical relations [10], which we believe is both simpler and more general than 
Sumii and Pierce’s proposal [18]; this is described in Section 3, although we ignore 
fresh name creation there, for clarity. 

Dealing with fresh name creation is harder. The work of Sumii and Pierce [18] is 
inspired in this respect by Pitts and Stark [15], who proposed a A-calculus devoted to 
the study of fresh name creation, the nu-calculus. They define a so-called operational 
logical relation to establish observational equivalence of nu-calculus expressions. They 
prove that this logical relation is complete up to first-order types. 

In [8], Goubault-Larrecq, Lasota and Nowak define a Kripke logical relation for the 
dynamic name creation monad, which is extended by Zhang and Nowak in [19] so that 
it coincides with Pitts and Stark’s operational logical relation up to first-order types. We 
continue this work here, relying on the elegance of Moggi’s computational A-calculus 
[14] to describe side effects, and in particular name creation, using Stark’s insights [17]. 

Further comparisons will be made in the course of this paper, especially with bisimu- 
lations for spi-calculus [1, 4, 5]. This continues the observations pioneered in [8], where 
notions of logical relations for various monads were shown to be proper extensions of 
known notions of bisimulations. The precise relation with hedged and framed bisimu- 
lation [5] remains to be stated precisely. 

3 Deconstructing Sumii and Pierce’s Approach 

The starting point of this paper was the realization that the rather complex family of 
logical relations proposed by Sumii and Pierce [18] could be simplified in such a way 
that it could be described as merely one way of building logical relations that have all 
desired properties. It turned out that the only property we really need to be able to deal 
with encryption and decryption primitives is that the logical relations should relate the 
encryption function with itself, and the decryption function with itself. 

3.1 The Toy Cryptographic A-Calculus 

To show the idea in action, let us use a minimal extension of the simply-typed A-calculus 
with encryption and decryption, and call it the toy cryptographic X-calculus. We shall 
show how the idea works on this calculus, which is just a fragment of Sumii and Pierce’s 
[18] cryptographic A-calculus. The main thing that is missing here is nonce creation, 
i.e., fresh name creation. 

For this moment, we restrict the types to: 

r ::= 6 | Ti ^ T 2 | key[r] | bits[T] 

where b ranges over a set E of so-called base types, e.g., integers, booleans, etc. Sumii 
and Pierce’s calculus in addition has cartesian product and coproduct types. key[r] is 
the type of (symmetric) keys that can be used to encrypt values of type t, bits[r] is 
the type of ciphertexts obtained by encrypting some value of type r — necessarily with 
a key of type key[r]. There is no special type for nonces, which are being thought as 
objects of type key[r] for some r. 
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The terms of the toy cryptographic A-calculus are given by the grammar: 

t, u, V, ... ::= x\ \x • t\tu\ {t}^ \ let {x}t = u Invi else V2 

where x ranges over a countable set of variables, {t}u denotes the ciphertext obtained 
by encrypting t with key u (t is called the plaintext), and let {x}t = u in tti else V2 
is meant to evaluate u, attempt to decrypt it using key t, then proceed to evaluate v\ 
with plaintext stored in x if decryption succeeded, or evaluate V2 if decryption failed. 
Definitions of free and bound variables and a-renaming are standard, hence omitted; x 
is bound in \x ■ t, with scope t, as well in let {x}t = m in ui else V2, with scope vi. 

Typing is as one would expect. Judgments are of the form T h f : r, where T is a 
context, i.e., a finite mapping from variables to types. If F maps to ti, . . . , to r„, 
we write it a;i : ti, . . . , : t„. Typing rules for encryption and decryption are 

r \- t ■. T r \- u : keyfrl 

^ (Enc) 

r h {t}u ■ bits[r] 

r \- t : key[r] Thu: bits[r] F, x : t \~ Vi : t' F \~ V2 '■ t' 

{Dec) 

F h let {x}t = u in Ui else V2 '■ x' 

A simple denotational semantics for the typed toy cryptographic calculus is as fol- 
lows. Let |_] be any function mapping types t to sets so that |ti — > T2I is the set 
|ti] ^ |t 2] of all functions from |ti] to |t 2], for all types ri and T2. Let |&] be arbi- 
trary for every base type b, |key[T]] be arbitrary. For every V G |r], K G |key[r]], 
write E(y, K) the pair (V, K), to suggest that this really denotes the encryption of V 
with key K. (That ciphertexts are just modeled as pairs is exactly as in modern versions 
of the Dolev-Yao model [7], or in the spi-calculus [1].) Then, let |bits[T]] be the set 
of all pairs E(V, K), V G |t], K G |key[T]]. 

For any set A, let A± be the disjoint sum of A with {_L}, where _L is an element 
outside A, and let t be the canonical injection of A into A±. While we have defined 
E(y, K) as the pair {V, K), we define the inverse decryption function from |bits[T]] x 
|key[r]] to |r] by letting \J{V , K') be t{V) ifV is of the form (V, K) with K = K' , 
and _L otherwise. We then describe the value |f] p of the term t in the environment p by 
structural induction on t. 



|L, X : T \- x : p = p{x) 

\F\- Xx-t-.Ti^ T2 \p= {V G |ti] ^ \F,x ■. Ti\- t \ T2I p[x := 
|L h to : T2l p = |L h f : n ^ T 2 I p{\F F u : p) 

|r h {t}u ■■ bits[r]l p = E(|L h to r] p, |L h u : key[r]l p) 



|let {x}t = u ±nvi else U2I P 



|uilp[a; := Vi] if to = t(toi) 
|u2l P if to = _L 



^]) 



where to = D(|ul p, ft} p) 



More formally, for any context F, a F -environment p is a map such that, for every 
X '. rmF, p{x) is an element of |r]. Write p[x := to] the environment mapping a; to to 
and every other variable y to p{y). Write [a; := to] the environment mapping just x to 
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V. We write (V € A /(^)) the (set-theoretic) function mapping y in A to f(V) to 
distinguish it from the (syntactic) A-abstraction Xx- f{x). In IF h tu : T 2 I p, we assume 
that the premises of the last rule of the implicit typing derivation are F \- t : ti ^ T 2 
and F \- u : Ti. We write |f] instead of |f] p when the environment p is irrelevant, e.g., 
an empty environment. 

3.2 What Are Logical Relations for Encryption? 

We first fix a subset Obs of F, of so-called observation types. Typically, Obs will con- 
tain just the type bool of Booleans, one of the base types. We say that a, a' G |r] 
are contextually equivalent, and we write a a', in the set-theoretic model above 

if and only if, whatever the term C such that x : t \~ C : o is derivable (o G Obs), 
|C1 [a; := a] = |C1 [x := a']. 

In the A-calculus setting, a (binary) logical relation is a family type of binary 

relations TZr, one for each type r, on |r], such that: 

(Log) V/, f G |ti ^ T 2 l , / f ^ (Vu TZr^ a', /(o) TZr^ 

Here we write a TZ a' to say that a and a' are related by the binary relation TZ. In 
other words, logical relations relate exactly those functions that map related arguments 
to related results. This is the standard definition of logical relations in the A-calculus 
[12]. Note that there is no constraint on base types. In the typed A-calculus, i.e., with- 
out encryption and decryption, the condition above forces (TZr).^ t-ypg to be uniquely 
determined, by induction on types, from the relations TZt, b G S. More importantly, it 
entails the so-called basic lemma. To state it, first say that two F -environments p, p' are 
related by the logical relation, in notation p TZr p' , if and only if p{x) TZr p'{x) for 
every x : t in F. The basic lemma states that if h fo : t is derivable, and p, p' are 
two related T-environments, then |fo] p TZr [fol p' ■ This is a simple induction on (the 
typing derivation of) tg . 

We are interested in the basic lemma because, as observed e.g. in [18], this implies 
that for any logical relation that coincides with equality on observation types, any two 
terms with logically related values are contextually equivalent. 

In the toy cryptographic A-calculus, we have left the definition of TZ^eylr] and 
^bitsfr] open. Here are conditions under which the basic lemma holds in the toy crypto- 
graphic A-calculus. For any type r, let TZr option be the binary relation on |r] defined 
by V TZr option V' if and only ifV = V = F, or V = i(Vi), V = l{V[) for some Vi, 
V{, and Vi TZr V(. 

Lemma 1. Assume that: 

1. for every H TZr 1^' and K 7^key[r] K' , E{V, K) 7^Mts[r] E(H', K'); 

2. for every V T^bitsfr] V and K 7^key[r] K' , D(H, K) TZr option ^{V , K'). 

Then the basic lemma holds: if F \~ to : t is derivable, and p, p' are two related 
F -environments, then |fol p TZr [fol p' ■ 

Before we proceed, let us remark that we do not need any property of E or D in the 
proof of this lemma. The property that D(E(V, K),K) = l{V) is only needed to show 
that let {x}t = {u]t in v\ else V 2 and vi[u/x\ have the same semantics, which we 
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do not care about here. The property that E(V, K) is the pair (V, K), or that E is even 
injective, is just never needed. This means that Lemma 1 also holds if we use encryption 
primitives that obey algebraic laws. 

There is a kind of converse to Lemma 1 . Assume that we have an additional type 
former r option, with constructors SOME : r — ^ t option and NONE : r option. As- 
sume their semantics is given by |r option] = [SOME f| = t(|f|), [NONE] = _L. 

Finally, assume that TZr option is defined as above. Then we may define an encryp- 
tion primitive enc = Xv ■ Xk ■ {t}fe and a decryption primitive in the toy crypto- 
graphic lambda-calculus by dec = Xv ■ Xk ■ let {x}k = v in SOME x else NONE. 
If the basic lemma holds, then we must have |enc| 7^T^key[r]^bits[r] [enc] and 
|dec| 7^bits[T]^key[T]^T option |dec| . These are just Conditions Land 2. 

Call cryptographic logical relation any logical relation for which the basic lemma 
holds. Conditions 1. and 2. can therefore be rephrased as the following motto: a crypto- 
graphic logical relation should relate encryption with itself, and decryption with itself. 

3.3 Existence of Logical Relations for Encryption 

How can we build a cryptographic logical relation inductively on types? We first need 
to address the question of existence of logical relations satisfying the basic lemma. 

Let us fix a type r, and assume that we have already constructed TZr and 7?.ijey[T] • 
Let be the smallest relation on |bits[r]| satisfying condition L, i.e., such 

that £{V,K) HV'.K) for all C C' and K 7^,ey[r] K' . Let 

be the largest relation on |bits[r]| satisfying condition 2., i.e., such that whenever 
^ ’^bits[r] then D{V, K) Ur option D(V^', K') for every K T^^eyfr] K' . These two 
relations clearly exist. Conditions 1. and 2. state that we should choose T^bitsfr] so that 
^Mts[r] ^ ^bits[r] ^ This exists if and only if C 

In turn, C ^bitsfr] ts equivalent to: for every V Ur V and K T^keyfr] K' , 

for every 7^key[r] K[, D(E(C, K),Ki) Ur option D(E(C', K'),K[) (*). Let there- 
fore V Ur V , and fix K 7^key[r] K' . By choosing K\ = K, (*) becomes 
l{V) T^t option D(E(C', AT'), AT]), which is equivalent to K' = AT] and V Ur V . 
Similarly by choosing K' = AT], we get AT = ATp and V Ur V . In other words, as 
soon as Ur is not empty, 7?.key[r] must be a partial bijection on |key[r]|, i.e., the graph 
of a bijection between two subsets of |key[r]|. 

Proposition 1. Let U^ be given binary relations on |6| for every base type b. Let 
^key[r] partial bijection on |key[r]| for every type t. There exists a crypto- 
graphic logical relation (Ur)r type '^b = Ti-^fot every base type b, and such 

that 7?.key[T] = ^Ly[r] every type r. We may define 7^bits[T]. for any type t, as any 
relation such that — ^bitsfr] C 7^TtsM■ 

Proposition 1 shows that cryptographic logical relations exist that coincide with 
given relations on base types. But contrarily to logical relations in the A-calculus, they 
are far from being uniquely determined: we have considerable freedom as to the choice 
of the relations at key and bits types. 

To define 7^key[r] > notably, we may use the intuition that some keys are observable 
by an intruder, and some others are not. Letting fvr be the set of observable keys, define 




406 



J. Goubault-Larrecq et al. 



^key[r] relating the key K with itself provided K S fvr, and not relating any non- 
ohservahle key with any key. This is clearly a partial hijection, in fact the identity on 
the subset /r^ of |key[r]]. This is a popular choice: /r^ is what Abadi and Gordon [2] 
call a frame, up to the fact that frames are defined there as sets of names, not of keys. 

To dehne 7^bits[T]> we may choose any relation sandwiched between 
’^bitsfr]- Vo, Vq e |bits[r]], Vb K if only if Vq is of the form 

E(y, K), kg' is of the form E(l/', K'), V TZr V and K = K' € frr- In other words, 
Vo and kg' are related by if and only if they are encryptions of related plaintexts 

by a unique key that the intruder may observe. On the other hand, Vq f'o if 

only if ko = E(y, K) and Vf, = E(k^', K') with either V TZr V and K = K' £ fvr, 
or K, K' ^ Jtt (whatever V, V). 

So, 7^bits[r] is completely characterized by the datum of fr^., plus a function 
mapping pairs of keys K, K' in |key[r]] \ /r^ to a binary relation ipr{K,K') on 
|t]: if 7^bits[r] is given, then let ipriK, K') be dehned as relating V with V' if and 
only if E(V, K) T^bitsfr] E(k^', K'); on the other hand, given i/jr, the relation 7^bits[r] 
that relates E{V,K) with E(k^',iT') if and only if V TZt V' and K = K' ^ Jtt, or 
K, K' ^ /r, and F MK, K') V\ is such that C 7^bits[r] C 

Given parameters fr and ip, we then get the following definition of a unique crypto- 
graphic logical relation by induction on types, so that it coincides with given relations 
on base types: 

Proposition 2. Let frr be some subset of |key[T]], for each type r, and ipr be any 
function from (|key[r]] \ ftrY to the set P(|r] x |t]) of binary relations on |r]. For 
any family TZ^ of binary relations on |6], b a base type, let {TZ^f''^)^ be the family 

of relations defined by: 

• TZl^’^ = TZ^ for each base type b; 

• for every f, f S |ti ^ Tal, / TZ(.fifr 2 f a TZlf* a', 

/(a) f(^a'); 

• for every K, K' e |key[r]], K K' if and only if K = K' G ftrt 

• for every V,V G |r], /or every 7T, AT' G [key/]], E(k^,Ar) E(k^',A:') if 

and only ifV TZl^’^ V and K = K' G frr, or K, K' ^ /r^ and V fr(.K, K') V'. 

Whatever the choices of frr and ipr, {'TZl'"'’^),^ ^.^pg is a cryptographic logical relation. 

Clearly, Proposition 2 generalizes to the case where fvr and fr are not given a 
priori, but dehned using the relations for (not necessarily strict) subtypes t' of 

T. That is, when not just but also frr and fr are dehned by mutual induction on 

types. 

It is interesting, too, to relate the dehnition of TZl'^’'^ to selected parts of the notion 
of framed bisimulation [2]. Slightly adapting [2] again, call a theory (on type bits[T]) 
any finite binary relation thr on [bits/]]. By hnite, we mean that it should be hnite 
as a set of pairs of values. A frame-theory pair {frr, thr) is consistent if and only if 
thr is a partial hijection, and E(I/, K) thr E(k^', K') implies K ^ frr and K' ^ frr- 
Any consistent frame-theory pair determines a fr function by V fr{K,K') V' if and 
only if E(y, AT) thr E(k^', AT'). It follows that frame-theory pairs, as explained here, 
are special cases of pairs of a frame frr and a function fr. 
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4 A Uniform Cryptographic A-Calculus, and Prelogical Relations 

Reflecting on the developments above, we see that it would be more natural to use, in- 
stead of the toy cryptographic A-calculus, a simply-typed A-calculus with two constants 
enc and dec, with respective semantics given by E and D. While we are at it, it is clear 
from the way we define in Proposition 2 that the type key[r] behaves more like 

a base type than a type constructed from another type. It is therefore relevant to change 
the algebra of types to something like: 

r ::= h \ T\ ^ T 2 \ bits[r] | key | r option | . . . 
where b ranges over S, S now contains a collection of key types keyj^, . . . , key„ (wlog., 
we shall use just one, which we write key), and the r option type is used to give a 
typing to dec : bits[r] — > key ^ t option; enc is assumed to have type r — > 
key ^ bits[r]. The final ellipsis is meant to indicate that there may be other type 
formers (products, etc.): we do not wish to be too specific here. 

The language we get is just the simply-typed A-calculus with constants. . . up to the 
fact that we need option types t option. The constants to consider here are at least dec, 
enc, SOME : r r option, NONE : r option, and case : t option (r — > t') 
t' t' . (The case constant implements the elimination principle for r option; we 
write case s of SOME x ^ t \ NONE ^ t' instead of case s{Xx ■ t)t', and leave the 
semantics of case as an exercise to the reader.) 

The fact that the constants dec, enc, are required to have their denotations, D and E, 
related to themselves is reminiscent of prelogical relations [10]. These can be defined in 
a variety of ways. Following [10, Definition 3.1, Proposition 3.3], a prelogical relation 
is any family (TZr)^ type of relations such that: 

1 . for every /, f G |n ^ T 2 I, if / TZr^^r 2 f and a TZr^ a' then /(a) f{a'); 

2. K TZri^T 2 ^Ti K, where K is the function mapping x G |ti], y G |t 2 ] to x; 

3. S S, whcrc S is the function mapping 

X G |ti ^ T 2 ^ T 3 I, y G |ti ^ T 2 I, z G |ti] to x(z)(y(z)); 

4 . and for every constant a : t, |a] TZt |a] . 

where |a] denotes |a] p for any environment p. Condition 1. is just one half of (Log). 
The basic lemma for prelogical relations [10, Lemma 4.1] is stronger than for logical 
relations: prelogical relations are exactly those families of relations indexed by types 
such that the basic lemma holds. 

Note that the use of prelogical relations also requires us to relate the semantics of 
SOME with itself, that of NONE with itself, and that of case with itself. 

Then, we may observe that prelogical relations are not just sound for contextual 
equivalence, they are complete, at all types, even higher-order. Recall that a value a G 
|t] is definable if and only if there exists a (necessarily closed) term t such that \- t : t 
is derivable, and a = |f] . The main point in our completeness argument is that there 
is a lax logical relation built by considering the trace of on definable elements. The 
relation is necessarily a partial equality on observation types o G Obs. 

Theorem 3 (Completeness). Prelogical relations are complete for contextual equiva- 
lence in the X-calculus, in the strong sense that there is a prelogical relation (TZt)t type 
such that for every s.t. \- t\ \ t ,\- t '2 '■ t , |fi] ~r [^ 2 ! if and only if \t\\ TZr 1 ^ 21 - 
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The argument before Proposition 2 applies here without further ado: every prelog- 
ical relation must be a partial bijection at the key type, and conversely, any prelogical 
relation that is the equality on fr C |key] at the key type satisfies the basic lemma, 
hence can be used to establish contextual equivalence. Specializing the prelogical rela- 
tion {TZr)^ type of Theorem 3 (its proof is in the full version [9]), we get that 7?.key is 
exactly equality on the set /?" = { |f] | \~ t : key} of definable keys. 

Similarly, we may define the binary relation for every 

K, K' G |key] \ fr, (i.e., for all non-definable keys) by V iPt{K, K') V' if and only if 
E(y, iT)7?.bits[T] K'), i.e., if and only if E(l/, K) and E(y', K’') are definable at 
type bits[r], and E(y,iT) «bits[r] ^{V',K'). 

From this, we infer immediately the following combination of the analogue of 
Proposition 2 (soundness) with Theorem 3 (completeness): 

Proposition 4. There is a prelogical relation type’ pcifonieterized by fr and 

■if, which is: 

• strict at the key type: i.e., for every K,K' G |key], K K' if and only if 

K = K' G fr; 

• strict at bits[r] types: i.e., for every V,V' G |r], for every K,K' G |key], 

E(y,iT) HV',K') if and only if V V' and K = K' G fr, or 

K, K' ^ fr and V ifr{K, K') V': 

• and such that, for some fr and if, for every closed terms t, t' of type t, |f] r |f'] 

if and only if ffl |f']. 

The idea of being strict at some type t is, in all cases, that the (pre)logical relation 
at type r should be defined uniquely as a function of the (pre)logical relations at all 
immediate subterms of r. The prelogical relation of Proposition 4 is strict at option 
types, too, provided there is a closed term of type t or |r] has no junk. 

While the point in prelogical relations in [10] is mainly of being not strict at arrow 
types, the point here is to argue that it is meaningful either not to be strict at bits[r] 
types, as in Section 3.2 (in the sense that T^bitsfr] was not determined uniquely from 
TZr), or equivalently to be strict at bits[r], given parameters fr and r. We believe 
that just saying that we do not require strictness at bits[r], thus omitting the fr and r 
parameters, leads to some simplification. 

5 Name Creation and Lax Logical Relations 

No decent calculus for cryptographic protocols can dispense with fresh name creation. 
This is most easily done by following Stark [17], who defined a categorical semantics 
for a calculus with fresh name creation based on Moggi’s monadic A-calculus [14]. We 
just take his language, adding all needed constants as in Section 4. 

5.1 The Moggi-Stark Calculus 

The Moggi-Stark calculus is obtained by adding a new type former T (the monad), to 
the types of the A-calculus of Section 4, so that Tr is a type as soon as r is: 

T ::= h \ T\ ^ T2 \ bits[r] | key|r option | Tt | . . . 
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(We continue to leave the definition of our calculi open, as shown with the ellipsis 
. . to facilitate the addition of new types and constants, if needed.) Following Stark, 
we also require the existence of a new base type u G S of names. (This will take the 
place of the type key of keys, which we shall equate with names.) The A-calculus of 
Section 4 is enriched with constructs val t and let a; 4= f in m (not to be confused 
with the let construct of Section 3.1), with typing rules as following, and two constants 
new : Ti/ (fresh name creation) and = : i/ v bool (equality of names). 

r \- t : T r \- t : Tt r, X : t \- u : Tt' 

(val) (let) 

r h val t : Tt T let x ^ t In u : Tt' 

In Stark’s semantics (notations are ours here), given any finite set s (of names), 
|f] sp is the value of t in environment p assuming that all previously created names 
are in s. This allows one to describe the creation of fresh names as returning any name 
outside s. This is most elegantly described by letting the values of terms be taken in 
the presheaf category Sef- [17], where I is the category whose objects are finite sets 
and whose morphisms s^s' are injections. Given any type r, |r] s is intuitively the 

set of all values of type r in a world where all created names are in s. Since |r] is a 

functor, for every injection s-^s' there is a conversion |t] i that sends any value a of 
|t] s to one in |r] s', intuitively by renaming the names in a using i. By extension, if 
T is any context xi : ti, ... ,Xn ■ Tn, let |T] be |ri] x . . . x |r„], using the products 
in Set^ — i.e., products at each world s. Then, as usual in categorical semantics [11], 
given any term t such that T \- t : t is derivable, |f] is a morphism from |/^] to |r]. 
This means that |f] is a natural transformation from |T] to |r], in particular that, for 
every finite set s, |t] s maps any T, s-environment p (a map sending each xt such that 
Xi : Ti is in T to some element of |ri] s) to some value |f] sp in |r] s; and all this is 
natural in s, i.e., compatible with renaming of names. 

Interestingly, Tt, the type of computations that result in a value of type r, pos- 
sibly creating fresh names during the course of computation, is defined semantically 
by |Tt] = TIt], where is the strong monad defined in [17,8, 19]. TA 

is defined by colims A{_ + s') : X — > Set. On objects, this is given hy T As = 
colims A(s + s'), i.e., TAs is the set of all equivalence classes of pairs (s', a) with s' 
a finite set and a G ^(s + s'), modulo the smallest equivalence relation = such that 

(s', a) = (s", A(ids + j)a) for every morphism s'^^s" in T. Intuitively, given a set 
of names s, elements of TAs are formal expressions (i's')a where all names in s' are 
bound and every name free in a is in s + s' — modulo the fact that {us' , s")a = {vs')a 
for any additional set of new names s" not free in a. We shall in fact write {vs')a the 
equivalence class of (s', a), to aid intuition. 

The semantics of let and val is standard [14]. Making it explicit on this particular 
monad, we obtain: |val f] sp = (i^0) |f] sp and |let x t In u\ sp = {v .s' + s")b, 
where |f] sp = {vs')a, we assume that T h f : Tt and T,x : t \- u : Tt' , and where 
M (s + s')((|T] (inls^s )p)[x := a]) = {vs")b. (Concretely, if T is a;i : n, . . . , : 

r„, p = [xi := ai,. . . ,Xn ■■= a„] where Oi G |tj] s for every i, then |T] {\n\s,s )p is 
[xi := |ti] (inls^s )oi, . . . , := |r„] (inls,^ )a„].) 

The semantics of base types b G S, except v, is given by constant functors: |6] s 
is a fixed set, independent of s; e.g., |bool] s = B. The semantics of v is |i/] s = s, 
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|i/] i = i; i.e., the names that exist at s are just the elements of s. Set^ is a presheaf 
category, hence cartesian-closed [11]. This provides a semantics for A-abstraction and 
applications. 

Finally, the semantics of new : Ti/ is given by |new] sp = (iy{n})n, where n 
is any element not in s, and |=] is dehned as the only morphism in Set^ such that 
1= xyl s[x := a, y := b] is true if a = 6, and false otherwise. 



5.2 Lax Logical Relations for Monads 

Given that terms now take values in some category (Set^), not in Set as in Section 3, 
the proper generalization of prelogical relations is given by lax logical relations [16]. 
We introduce this notion as gently as possible. 

Let S be the set of base types, seen as a discrete category. The simply-typed A- 
calculus gives rise to the free CCC A(A7) over S as follows: the objects of A(A7) are 
typing contexts F, a morphism from F to A = yi : ti r„ is a substitution 

[yi ■= ti,. . . ,yn ■= tn], where F \- ti : Ti (1 < i < n), modulo /3?7-conversion. (In 
particular, F -environments are exactly morphisms from the terminal object, the empty 
context e, to F.) Composition is substitution. Being the free CCC means that, for any 




(1) 



CCC C, for any functor |_]p from E to C (i.e., for any function 
[_lo mapping each base type in E to some object in C), there 
is a unique representation |_]j^ of CCCs from A(A7) to C such 
that the right diagram commutes. A representation of CCCs is 
any functor that preserves products and exponentials. When C 
is Set, this describes all at once all the constructions |t] ^ (denotation of types r) and 
(denotations of typed A-terms t) as used in Section 3. 

Let Subscone^ be the subscone category, dehned as follows. Assume C is another 
CCC, such that C has pullbacks. Let |_| be a functor from (7 to C that preserves hnite 
products. Then Subscone^ is the category whose objects are triples (S', m, A), where 
m is a mono S'^ ^ |^| in C, and whose morphisms from (S, m, A) to (S', m! , A') 

are pairs of morphisms {u, v) (u in C, from S to S', and v in C, from A to A'), making 
the obvious square commute. Noting that Subscone^ is again a CCC (Mitchell and Sce- 
drov [13] make this remark when C is Set, and |_| is the global section functor (7(1, _)), 
the following purely diagrammatic argument obtains. Assume we are given a functor 
from E to Subscone^, i-e., a collection TZo of objects in Subscone^, one for each 
base type o. Then there is a unique representation 
TZ of CCCs from A(L') such that the right diagram 
commutes. Now the crux of the argument is the fol- 
lowing. The forgetful functor U : Subscone^ ^ (7 
mapping the object {S,m, A) to A and the mor- 
phism {u, v) to V is also a representation of CCCs. It 
follows that U oTZ is a representation of CCCs again, from 
If U o (T^o)oex' = [_lo> '^hen by the uniqueness property of |_]]^, we must have 
U oTZ = i.e., diagram (3) commutes. As observed in [13], and extended to CCCs 

in [3], when C = Set, C is the product of two CCCs A and B, and |_| is the functor 
X S(l,_), jypg behaves like a logical relation. It is really a logical re- 



a:- 



■A(A7) (2) 






Subscone, 




A(A;) to (7. 
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lation, as we have defined it earlier, when both A and B are S&t. (In this case, an object 

TZ{t) is of the form S'' ^ |r]^ , where S, up to isomorphism, is just a subset of the 

cartesian product of |r] with itself.) In case A and B are the same presheaf category 
Set^, (i?(T))^ type ^ Kripke logical relation with base category X. 

While the object part of functor TZ, {TZ{t))^ yields logical relations (or exten- 
sions), the morphism part maps each morphism in A(Z'), namely a typed term t modulo 
j3ri, of type r, to a morphism in the subscone, i.e., a pair {u, v). The fact that diagram 
(3) commutes states that v is just the pair of the semantics of f in ^ and the semantics 
of t in B, and the fact that {u, v) is a morphism (saying that a certain square commutes) 
states that these two semantics are related by TZ{t): this establishes the basic lemma. 

The important property to make TZ satisfy the basic 
lemma is just the equality in the right diagram. Logi- 
cal relations are the case where 7^ is a representation 
of CCCs, in which case, as we have seen, this diagram 

necessarily commutes. Lax logical relations are prod- Subscone^ ^ C 

uct preserving functors TZ such that Diagram (3) com- 
mutes [16, Section 6]. The difference is that, with lax logical relations, we do not re- 
quire TZ to be representations of CCCs, just product preserving functors. We say that TZ 
is strict at arrow types if and only if TZ preserves exponentials, too. 

Dehning lax logical relations for Moggi’s monadic meta-language follows the same 
pattern. The monadic A-calculus gives rise to the free let-CCC Comp{S) over E, where 
a let-CCC is a CCC with a strong monad. We then get Diagram (1) again, only with 
A(L’) replaced by Comp{E), (7 is a let-CCC, and |_] is a representation of let-CCCs, 
i.e., a functor that preserves products, exponentials, and the monad (functor, unit, mul- 
tiplication, strength). 

5.3 Contextual Equivalence 

Defining contextual equivalence in a calculus with names is a bit tricky. First, we have to 
consider contexts C of type To (o G Obs), not of type o. Intuitively, contexts should be 
allowed to do some computations; were they of type o, they could only return values. In 
particular, note that contexts C such that x : Tt \~ C : o, meant to observe computations 
at type r, cannot observe anything. This is because the (let) typing rule only allows 
one to use computations to build other computations, never values. 

Another tricky aspect is that we cannot take contexts C that only depend on one 
variable x : t. We must assume that C can also depend on an arbitrary set of pub- 
lic names. Given names ni, . . . , rim, the only way C can be made to depend on them 
is to assume that C has m free variables z\, . . . ,Zm of type v, which are mapped to 
rii, . . . , rim- (It is more standard [15, 1] to consider expressions built on separate sets 
of variables and names, thus introducing the semantic notion of names in the syntax. 
It is more natural here to consider that there are variables Zi mapped, in a one-to- 
one way, to names ni.) Let si be any set of names containing rii, . . . , Um, let Wi be 
{zi, . . . ,Zm}, and the injection mapping each Zi to ni, 1 < I < m. Write 

wi := ii{wi) for zi := m,. ■ ■ ,Zm ■= nm, and : v for We shall 

then consider contexts C such that wfTV, x : t \- C : To is derivable, and evaluate 
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|C] si[x := a,w\ := zi(wi)] and compare it with |C] si[a; := a' ,w\ := zi(wi)] to 
decide whether a and a' are contextually equivalent. This represents the fact that C is 
evaluated in a world where all names in si have been created, and where C has access 
to all (public) names in i{wi). 

This definition is not yet correct, as this requires a and a' to be in |r] si, but they 
are in |r] s for some possibly different set s of names. This is repaired by considering 

coercion |r] ki, where s-^si is any injection. 

To sum up, say that a, a' G |r] s are contextually equivalent at s, and write a a' , 

if and only if, for every finite set of variables w\, for every injections and 

s^si, for every term C such that w\ \ v,x \ t \~ C \ To is derivable (o G Obs), 
|C] si[x := |r] fci(a), := Zi(wi)] = |C] Si[x := |r] ki{a'),wi := Zi(wi)]. 

The notion we use here is inspired by [15, Definition 4], although it may not 
look so at first sight. We may simplify it a bit by noting that we lose no general- 
ity in considering that C has access to all names in si. Without loss of generality, 
we equate wi with si, and notice that a a' if and only if, for every injection 
s— >Si, for every term C such that si : i/,x : t h C : To is derivable (o € Obs), 
|C]si[a; := |r] ki(a),si := si] = |C]si[a; := |r] fci(a'), si := si]. (Remember we 
see the variables in si as denoting the names in si here, equating names with vari- 
ables.) The use of injections between finite sets leads us naturally to switch from Sef- 
to the category Sef- , where the arrow category of X, has ^ ^ g (4) 

as objects all morphisms w^s in X, and as morphisms from w^s 

“i J k 

to ru'— all pairs {j, k) of morphisms such that the right diagram 
commutes. This is in accordance with [19], where it is noticed that w' — ^ ^ s' 

Sef- is the right category to define a Kripke logical relation (but 
not necessarily lax) that coincides with Pitts and Stark’s on first-order types. We shall 
consider here the equivalent category where w is restricted to be a finite set of vari- 
ables (and continue to call this category X~*). Objects w^s are then sets w of variables 
denoting those public names in s, together with an injection i. So we shall work with 
lax logical relations in the subscone category Subscone^, where C = Sef' x Sef' , 
C is the presheaf category Sef' , and |_| : C ^ C is the composite of the binary 
product functor x : Sef- x Sef Sef with the functor Sef : Sef — > Sef . 
Here u : X^ — > X is the obvious forgetful functor that maps w^s to s. Say that a value 
a G |t] s is definable at w^s if and only if there is a term t such that w : v h f : r is 
derivable and a = |f] s[m := z(iu)]. 

Definition 1. Let w^s be any object ofX'^. The value a, a' G |r] s are said to be 
contextually equivalent at w^s, written a a' , if and only if, for every mor- 

phism {ji, ki) from w^s to any object wi^Si in X^, for every term C such that 
w\ : u, X : T \- C : To (o G Obs) is derivable, |C] si[x := |t] fci(a), w\ := zi(rui)] = 

|C] Si [x := |r] ki{a'),w\ := zi(wi)]. Define the relation by: a 7^“^® a' if and 

only if a and a' are definable at w^s and a a'. 

In particular, a a' iff a a', where 0 ^ s denotes the unique empty 

injection. 
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Note that for every value a G |r] s definable at w^s, |r] k{a) is also definable at 

w'^s', whenever there is a morphism (j, k) from the former to the latter. Indeed, let 
a = |t] s[r<; := Then for t' obtained from t by renaming according to j, 

|t1 k{a) = |f'l s'K := i'{w')]. (1) 

In particular, every value a C |r] s definable at 0 ^ s, is dehnable at every w^s. 

Theorem 5. Lax logical relations are complete for contextual equivalence in the Moggi- 
Stark calculus, in the strong sense that there is a lax logical relation TZ such that, 
for every terms u, u' such that w : v L u : t and w : v \~ u' : t are derivable, 

[■u] s[w:=z(w)] lu'] s[m:=z(w)] iff\u\ s[t(;:=z(w)] |u'] s[w:=z(t(;)]. 

The (non-lax) logical relation of [19] is defined on i/ by: rz 7^“^® n' iff rz = n' C zn. 
This is exactly what the lax logical relation of Definition 1 is defined as on the v type: 

Lemma 2. Let be the logical relation of Definition 1. Then n 7^™^® zz' if and 

only ifn = n' G i{w). 

To finish this section, we observe: 

Lemma 3. Assume that observation types have no junk, in the sense that every value of 
|o] s fo G Obsj is definable at s, for every s, equivalently at every w^s. Then 7?.“^® 
is equality on |o] s, and is equality on |To] sfor any observation type o. 

We almost forgot to prove soundness! It is easy to see that any lax logical relation 
that coincides with partial equality on types To is sound for contextual equivalence. 

Indeed, by the basic lemma 17 o 7?. = |_] whenever a a', then for any C such 

thatzci : u, x : t \- C : To {o G Obs) is derivable, for any morphism (ji, fci) from w^s 
to z«i^Si, |C] Si[wi := ii{wi),x := |r] fci(a)] |C] Si[wi := ii{wi), x := 

[t 1 fci(a')];soa«“^® a'. 

5.4 Mixing Fresh Name Creation and Encryption 

Let us get down to earth. What do we need now to get lax logical relations that are sound 
and complete for contextual equivalence when both fresh name creation and crypto- 
graphic primitives are involved? The answer is: just lax logical relations on Set^ , as 
used in Section 5.3. . . making sure that they relate each constant itself. We have indeed 
been careful in being sure that our calculi were open, i.e. they can be extended to ar- 
bitrarily many new types and constants. The only requirement that the new constructs 
can be given a semantics in Sef- . In particular, a lax logical relation on Set^ is sound 
for observational equivalence in the presence of cryptographic primitives if each of the 
constants enc, dec, SOME , NONE, case is related to itself. 

Then Theorem 5 shows that lax logical relations are complete for the Moggi-Stark 
calculus, which uses a name creation monad. We have in fact proved more, again be- 
cause we have been particularly keen on leaving the set of types and constants open: 
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whatever new constants and types you allow, lax logical relations remain complete. In 
particular, taking enc, dec, SOME , NONE, case as new constants, we automatically get 
sound and complete lax logical relations for name creation and cryptographic primi- 
tives. 

Acknowledgements. We would like to thank Michel Bidoit for having directed us to 
the notion of prelogical relations in the first place. 
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Abstract. Subtyping can be fairly complex for union types, due to in- 
teractions with other types, such as function types. Furthermore, these 
interactions turn out to depend on the calculus considered: for instance, 
a call-by-value calculus and a call-by-name calculus will have different 
possible subtyping rules. In order to abstract ourselves away from this 
dependence, we consider a fairly large class of calculi. This allows us to 
find a subtyping relation which is both robust (it is sound for all calculi) 
and precise (it is complete with respect to the class of calculi). 

Keywords: union types, subtyping, semantics, lambda-calculus. 



1 Introduction 

The design of a subtyping relation for a language with a rich type system is hard. 
The subtyping relation should satisfy conflicting requirements. On the one hand, 
one would like the relation to have strong theoretical foundations, rather than 
being defined in an ad hoc, purely algorithmic, fashion. It is therefore tempting 
to base it on the semantics of the language. But, on the other hand, one should 
be careful not to tie it too tightly to a particular language. Especially, one should 
avoid accidental special cases which happen to hold only in the language con- 
sidered. Indeed, the relation should be robust in order to accommodate future 
language extensions. It should also be simple enough so that the users can un- 
derstand it, and should possess good algorithmic properties: checking whether 
two types are in a subtyping relation should be reasonably simple and efficient. 

We should emphasize the fact that the possible subtyping relations depend 
on the language considered by providing some examples. Let us first give some 
rough intuition about types. For these examples, we take the view that well- 
typed terms may diverge but will evaluate without error. A term of type T is a 
term that always diverges. A term of type T is a term that evaluates without 
error. A term of type r' ^ r behaves like a term of type t once applied to a 
term of type r'. A term of type r U r' behaves as a term of type either r or r'. 
We write t <: r' to mean that r is a subtype of r' and t = r' to mean that 
r and t' are equivalent, that is, subtypes of one another. We can now present 
some typing relations that only hold under some conditions on the language. 

— In some call- by- value languages, we can have T <: T — > T. Indeed, this 
assertion holds when the application is strict on its right argument (for any 
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first argument which evaluates without error), that is, when we can apply 
any term e which evaluates without error to a term e! that diverges and get 
a term e e! which diverges. 

— In some call-by-value languages, we can have the distributivity law (T1UT2) x 
r = (ti X r) U (ji x r). This law does not hold in a call-by-name language 
with non-determinism. Indeed, a term of type (ji U T 2 ) x r may well be a 
pair whose first component evaluates sometimes to a value of type ti and 
sometimes to a value of type T 2 . Still, it can hold in a call- by-need language 
with non-determinism, as an expression is then evaluated at most once. 

— In a deterministic language, union of function types t ->-t' obey very special 
subtyping rules when r is finite (as observed by Damm [1]). The reason is 
that these types are isomorphic to tuple types. 

On the other hand, some rules seem very robust: 

— The arrow is covariant on the left and contravariant on the right: if ti <: r( 

and T 2 <: T 2 , then T 2 ^ n <: ^ 

~ Union types are least upper bounds: if r <: ti or t <: T 2 , then r <: Ti U T 2 ; 
if Ti <: T and T 2 <: r, then ri U T 2 <: t. 

The aim of this paper is to develop a framework in which we can substantiate 
the above claims, and thus understand which subtyping assertions r <: r' hold 
“by accident” (depending on some specific properties of a calculus), and which 
are more universal (valid for a large class of calculi). 

Rather than choosing a particular calculus, we specify a broad class of calculi 
in a fairly abstract way. For each calculus, we interpret a type r as a set of terms 
|r]. Given a subtyping relation <:, defined for instance by inference rules, we 
can state that a subtyping assertion r <: r' is , . when |t] C |r']. Then, a 
subtyping relation is ^ ^ ^ . when any derivable subtyping assertion is valid in 
all calculi. It is , , when every universally valid assertion can be derived. 

We present a relation which is both sound and complete for the class of calculi 
considered. Though this is not addressed in this paper, it would then be possible 
to study relations which are only sound under some assumptions by restricting 
the class of calculi. 

The paper is organized as follows. The class of calculi is defined (Sect. 2) and 
a particular instance is given (Sect. 3). We present a simple type system, define 
a subtyping relation and prove the soundness and completeness of the relation 
(Sect. 4). We conclude by presenting related work (Sect. 5) and directions 
for future work (Sect. 6). Most proofs are omitted for lack of space. They are 
available online in an extended version of the paper [2]. 



2 A Class of Abstract Calculi 

2.1 Informal Presentation and Definitions 

We would like to study subtyping for a class of calculi with functions, pairs 
and constants. The first step is to associate to each type r its semantics |t]. 
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that is, the set of terms of type r. We type terms rather than values because 
the notion of terms is more fundamental: the notion of value depends on the 
language considered. Besides, it is not always possible to reduce the behavior of 
a term to the behavior of a set of values, especially in a call-by-name calculus. 
This is actually possible in the calculus of Sect. 3, but only because we made 
some specific choices about types. 

As it turns out, it is convenient to only consider sets of terms that satisfy 
a given closure property: we assume given a ^ ^ ^ on sets of terms, 

that is, a function £ i-^- £ which is extensive (£ C £), idempotent (£ = £) and 
monotone. A set of terms £ is said to be , . if £ = £. The idea is that the 

closure £ of a set of terms £ is the set of terms that cannot be distinguished 
(as far as types are concerned) from the terms in £. Thus, different choices of a 
closure operator yields different interpretation of types. 

Types categorize terms according to their behavior. We should be able to use 
them to avoid some unsafe behavior, typically runtime errors. So, we distinguish 
a set 8 of ^ ^ . Dually, we define a set K of ^ ^ (typically, terms 

that loop) as the intersection of all non-empty closed sets of terms. We call 
^ ^ , a closed set of terms included in 8 and including DSf. We require 

the semantics |r] of a syntactic type r to be a semantic type. 

It seems really important in practice to distinguish a set of safe terms 8 from 
the set of all terms T, and a set of neutral terms Isf from the least closed set 0. 
Indeed, in Sect. 3, we will have 8 T and Isf = 0, but in [3], we have 8 yf T and 
yf 0, and in [4], we have 8 = T and y^ 0. Finally, in the case of . . , ^ 

^ ^ [5], one has 8 yf T and iNf yf 0 (safe terms are strongly normalizing 

terms, and some terms such as a variable x can be given any type). 

Let us now sketch how we define the semantics of types. The idea is that we 
want to be able to build more complex typed terms by assembling smaller typed 
terms according to simple (typing) rules. For instance: 

App Fst Snd 

e : t' ^ T e' : t' e : t x t' e : t x t' 

ee' : T f st e : r snd e : t' 

The rules above suggest the following inclusions. 

Ir'^rl C {e G S|Ve' G |r'l.ee' G |r]} 

|r X r'] C {e G 8 I f St e G |r] A snde G |t']} 

These inclusions ensure the ^ ^ ^ ^ ^ ^ of the typing rules. In order to reason 

about types, it is important to have a more precise characterization of their 
semantics. It seems therefore natural to replace these inclusions by an equality. 

|r' ^ rl = {e G 8 I Ve' G |r'l.ee' G |r]} 

|r X r'] = {e G 8 I fst e G |r] A snde G |r']} 

But the sets |r' — > r] and |r x r'] must be semantic types. The definitions 
above clearly ensure that these sets are included in 8. They must also be closed 
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and must contain iNf. We cannot force this by making the sets larger, as this 
would violate the soundness conditions. Instead, we make more assumptions on 
the calculi. We say that a function is when the inverse image of a 

closed set is closed, that a function is ^ when the set IN' is included in the 
inverse image of IM. We can prove inductively that the sets |r' ^ r] and |t x t'] 
are closed if § is closed and the functions fst, snd, and ee' (for all terms e' 
in §) are continuous. Similarly, we can prove that these sets contain Jsf if IN' C 8 
and the same functions are strict. This appears more clearly if the equations 
above are rewritten in a more algebraic form. 

|r' ^ r] = 8 n Pi {e I e e' G |r]} 

e elr 1 

|t X r'l = 8 n fst~^(|r]) n snd'^(|T']) 

It is really natural for all these functions to be strict, as they are destructors. 
The continuity properties may seem harder to achieve. We will see in Sect. 3.2, 
that it is actually straightforward to define a closure operator ensuring these 
properties. 

Note that if N = 0, then all continuous functions are strict. Indeed, if / is 
continuous, then /“^(0) is closed and therefore contains 0. Thus, if we want 
constant functions to be continuous, which seems reasonable, we need to have 
N^0. 

The calculi also have constants, denoted k. These constants are assumed to 
be safe. We define a singleton type k for each constant k. Its semantics is the 
least closed set of term containing the constant n: 

I«1 = 

2.2 Formal Specification 

The class of calculi we consider are the 

— a set of terms T; 

— a closure operator £ £ on terms; 

— a closed subset 8 C T of safe terms; 

— three operators: 

app : T 

e 

fst : T 

e 

snd : T 

e 

such that e e e' (where e' G §), fst and snd are continuous and strict; 

— a set of constants «: G §. 

Note that we consider the closure operator as part of the calculus. Thus, two 
different calculi can be identical except for their closure operators. They can be 
understood as two (semantically) typed variants of a same untyped calculus. 



{k} . 



calculi to which we can associate: 



T 



T 

f St e 

T 

snde 
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2.3 Semantic Operations 

We define one operation on sets of terms for each type construction we have in 
mind: bottom type, union of two types, function types, pair types and constant 
types. These operations are used to define the semantics of types in a straight- 
forward fashion in Sect. 4.1. Note that the semantic union O of two sets of 
terms is not simply their union. Indeed, the union of two closed sets is usually 
not a closed set. In other words, there may be some terms that are in neither 
of the sets but cannot be distinguished from the terms in the union of both 
sets. Our solution is to take the least closed set containing the union. This is 
not just a technical point, but is actually crucial for typing a calculus with non- 
determinism, for which we could expect, for instance, a term to be in £ |D] £' if 
it behaves erratically either as a term in £ or as a term in £'. 

□ 

£ O £' = £ U £' 

£'[^£ = {e G §|Ve' G £'.ee' G £} 

£ 0 £' = {e G § I f St e G £ A snde G £'} 

M = {«} 

It is clear that all these operations map semantic types to semantic types. 

3 A Concrete Calculus 

We present a particular instance of the class of calculi considered. This calculus 
is used in Sect. 4 to prove the completeness of a subtyping relation. It actually 
turns out to be ^ ^ , in the sense that a subtyping relation is complete if 

and only if it is complete for this particular calculus. 



3.1 The Calculus 



The calculus we consider is a call-by-name calculus with pairs and constants. Its 
main remarkable characteristics are a notion of errors, a strict let binder and 
two non-deterministic choice operators. The syntax of the calculus is given by 
the following grammar: 



\x.e 
e e 
(e,e) 

f St e 
snde 

K 

if e = K then e else e 
e U e 
e V e 

let a; = e in e 



variable 

abstraction 

application 

pair 

first projection 
second projection 
constant 
conditional 
erratic choice 
error-avoiding choice 
strict let 



error 



error 
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The set of constants k is supposed to be infinite. A bigstep semantics is given 
in Fig. 1. The values are a subgrammar of terms: 

V ::= Xx.e | (e, e) | k | error 

In the reduction rules, we write v ^ v' where v' describes a specific shape of 
values (for instance, v' is (ei, 62)) to mean that v is not of the same shape as v' . 



Var-Error Abs 

X F error Xx.e if Xx.e 



Apr 

e F Ar.ei ei[e'/x\^v 

ee \y V 



App-Error 
e i). V V ^ Xx.ei 

ee' H- error 



Pair 

(ei, 62) F (ei, 62) 



Fst 

e 11.(61,62) ei^v 
fst 6 JJ. V 



Fst-Error 
6 JJ. R V ^ (61, 62) 
fst 6 J) error 



Snd 

6)1.(61,62) 62 J) t 

snd e \!yv 



Snd-Error 
6 Jj. V f 7 ^ (61,62) 
snd 6 J) error 



Constant 

K \!y K. 



If-Equal 

6 J) R 6^ JJ. t 

if 6 = K then e else e' JJ. v 



If-Not-Equal 
e K K ^ K e” \!y V 
if 6 = fv then e' else e" JJ. v 



If-Error 

6 JJ. n V ^ K 

if 6 = fv then e' else e" JJ error 



Para-Left 
6 JJ t 

6 U 6^ JJ t 



Para-Right 
e ii-v 
6 U 6^ JJ n 



Catch-Left 
6 JJ V V ^ error 

6 V 6^ JJ V 



Catch-Right 

6^ JJ w V ^ error 

6 V e' JJ V 



Catch-Error 
6 JJ error e' JJ error 

6 V 6^ JJ error 



Let 

6 JJ II t / error e'\v/x\!^v' 
let X = e in e ij. v' 



Let-Error 

6 JJ error 

let X = e in e' ij. error 



Error 

error JJ error 



Fig. 1. Semantics 



The semantics is rather standard and unsurprising. We simply say a few 
words about the two non-deterministic choice operators. The first one e U e' is 
the standard erratic operator: e U e' IJ v if and only if either e IJ r or e JJ v. 
The second one e V e' is a bit like an angelic choice operator, but instead of 
attempting to avoid non-termination, it attempts to avoid errors. Another way 
of understanding this operator is to consider it as a symmetric variant of a 
catch operator: it evaluates one of the terms e or e' and, if this fails, falls back 
to evaluating the other term. The unusual notations emphasize the fact that 
both operations correspond to a least upper bound, as we will see in Sect. 3.4. 
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We define the following diverging term: 

diverge = {Xx.xx) (Ax.xx) . 

3.2 Orthogonality 

Remember that we need to specify not only a calculus but also a closure operator 
on sets of terms. We first present a generic way of building a closure operator. 
The choice of a particular closure operator is made in the next section 3.3. 

A convenient way to define a closure operator on sets of terms is by ^ ^ , 

^ , j ' between terms and contexts. At this point, it does not matter what the 
set of contexts is. We just assume given an orthogonality relation e _L c between 
contexts c and terms e. Its intended meaning is that the term e behaves prop- 
erly in the context c. We define the ^ ^ ^ ^ , of a set of terms £ as the set of 

contexts in which all terms in £ behave properly: 

£■*■ = {c I Ve G £.e _L c} . 

Conversely, we define the ^ ^ ^ ^ , of a set of contexts C as the set of terms 

that behave properly in all the contexts in C: 

£■*■ = {e I Vc G C.e _L c} . 

These two functions define a Galois connection between sets of terms and 
sets of contexts. The important point here is that the composition of these two 
functions, which associates to a set of terms £ its . , , £ = £'*'■'■, is a 

closure operator. (Dually, we can define a closure operator which associates to a 
set of contexts its biorthogonal 6 = C-*"*-.) 

Furthermore, we can rely on the following lemma to guide us in the choice of 
a set of contexts. Let / be a function from terms to terms, and 5 be a function 
from contexts to contexts. We say that g is an . . ^ ^ of / iff 

/(e) ± c<^ e± g(c) . 

Lemma 1 . , , ^ , , f , , -i 1 9 - 1 1 , 1 1 1 1 

3.3 The Closure Operator 

Using the tools just developed, we can now specify the closure operator. Contexts 
are given by the following grammar: 

c ::= Id identity 

CO F frame concatenation 

c V c join 

F ::= _e 

f St _ 

snd _ 

if _ = K then e else e 
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A context c can be viewed as a stack, with a weird “stack join” operation, and 
F can be viewed as a stack frame. Every context c and term e may be combined 
to generate a term denoted ce and defined as follows (the term F[e] is the term 
which results from replacing _ by e in the frame F): 

. e = e 
{co F)e = c{F[e\) 

(c V c') e = let a; = e in ((cx) V (c' x)) where x is fresh . 

A term e is safe when it does not reduce to the error. Thus, we define the 
set § by: 

§ = {e I -i(e jj. error)} . 

The orthogonality relation is defined by: 

eTciffceGS . 

As indicated in the previous section 3.2, this induces a closure operator on sets 
of terms. This is the closure operator that we choose to associate to our calculus. 

The choice of this operator is crucial: it controls what can be observed by 
typed terms. We should therefore explain how the contexts are chosen. The 
identity context . ensures that § is closed. The frame concatenation operation 
coF ensures that each frame is continuous (by Lemma 1). The join operation cVc' 
allows for disjunctive tests. For instance, the context ( . of st _)V( . o_ diverge) 
will behave properly against terms which reduce to either a pair or a function, 
but will fail with other terms. This ensures that the closed union £ [D] of two 
semantic types £ and £' is not “too large” (see Sect. 3.4 for a more precise 
characterization of this property). 

3.4 Properties of the Calculus 

We study some notable properties of the calculus. The completeness proof will 
make use of all these properties. 

Terms and Values. An important property of the calculus is that the behavior 
of a term (as specified by the closure operator) is characterized by the behavior 
of the values it reduces to. 

Lemma 2 (Terms and Values). , e , , . . 

. V . 

The contexts have been carefully chosen for the lemma 2 to hold. For instance, 
it does not hold if the syntax of frames is extended with a family of frames e _. 
Indeed, consider the term: 

/ = Ax. if X = K then (if x = k then diverge else error) else diverge . 

We have f k' G $ for all constant k' , but f {kU k') ^ § if the constants k and 
k' are distinct. So, if _ o (/_) is a context, then we have /t' G { . o (/_)}-*- for 
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all constant n' , but not k U k' G { _ o (/ _)}-*- (when the constants n and k' are 
distinct). 

Intuitively, the result holds if the evaluation of a term ce first involves the 
evaluation of the term e. We formalize this property by introducing a notion of 
linearity: we say that a function / from terms to terms is ^ ^ when for any 
term e and value v, f e ^ v if and only if there exists a value v' such that e i)- v' 
and fv'JJ-v. We then have the expected result. 

Lemma 3 (Context Linearity). ^ ^ ^ ^ ^ 

Ordering of Terms and Contexts. We define the i , ^ on 

terms by e < e' if and only if {e} C |e'}. Likewise, we define a preorder on 
contexts by c < c' if and only if {c}-*- C {c'}-*-. Note that we choose to define 
both preorders so that the ordering between two elements (either two terms 
or two contexts) derives from the inclusion ordering between the two naturally 
associated sets of terms. We present the relative ordering of some interesting 
terms and contexts. This ordering is illustrated below. 

error 

Cl U 62 

/ \ 

ei 62 

\ / 

diverge 

Lemma 4 (Least Upper Bounds). . e, 6' _ , ,, r c, 

c' {6 U 6'} = {e}[y]{e'} ^ - {cVc'}-*- = {c}-*‘ly]{c'}-*‘ 

6 U e' ^ , • 1 ; - 1 ' / ■ i ^ ^ ■ i - 

6 V C' ^ ; / ; ' i ^ i - ^ 

Lemma 5 (Divergence). , diverge , , , , 

diverge G [X] 

Sets of Values. We write V(£) for the set of values contained in a set of terms £: 
V(£) = {t! I 6) G £}. A direct consequence of Lemma 2 (Terms and Values) is that 
a closed set of terms is characterized by its values: £ = V(£). It seems therefore 
natural to study some of the properties of the sets of values V(£). 

Lemma 6 (Least Semantic Type). , . DJ = N . 

- , i - m=0 

Lemma 7 (Union and Values). , . , - . ^ 

‘ V(£OX) = V(£)UV(X)‘ 

We say that a set of terms £ is . . when it is non-empty and when each 

pair of terms of this subset has an upper bound in this subset. 
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Lemma 8 (Prime when Directed). , V(£) _ _ £ 

prime, ^ , £ C £^ [D] £ 2 , , £ C £j ^ £ C £2 

Instance of the Class of Calculi. We have the expected result: 

Lemma 9. , ' * , , , - 1 ' 

Orthogonality Functions- Arguments. Just as we defined an orthogonality 
relation between terms and contexts in Sect. 3.2, we can define a family of 
orthogonality relations between functions and arguments. 

In the remainder of this section, we assume given a semantic type £q. We 
define an orthogonality relation between the elements of T (all terms), consid- 
ered as function arguments, and the elements of 8 (safe terms), considered as 
functions: an argument e' G T is orthogonal to a function e G 8 when ee' G £q. 
From this relation, we define the orthogonal of a set £ of arguments by 

£f^" = {e e §|Ve' G £.ee' € £ 0 } = £B£o 

and the orthogonal of a set £ C 8 of functions by 

£^^g = {e'|VeG£.ee'G£o} . 

The function £ 1 — > £f“riarg jg closure on set of arguments. 

Lemma 10 (Function Orthogonality). ^ , , , , 

\ ^ 

gfunarg ^ g ^ 

gfunarg ^ ^ g 

£^"" = £_0 £0 

£ =(£Q£o)"’'®- 

The key idea to prove the first inclusion is to show that for each context 
c there is a function (c) that behaves “similarly”. This function is defined as 
follows. 

(c) = Ax. let y = cx in diverge 
It satisfies the following property. 

Lemma 11 (Context as Function). . . . £ ' ' c, 

c G £-^ . . (c) G £Q£o ' ‘ ‘ 

4 A Simple Type System 

We present a simple type system and prove its soundness and completeness. 
These properties have been mechanically checked using the Coq proof assis- 
tant [6]. 
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4.1 Types 

The syntax of types is given by the following grammar. 

T ::= X constructed type X ::= r ^ r function type 

_L bottom type r x r pair type 

r U T union type n constant type 

The semantics |r] of a type r is defined inductively on the syntax of types 
in a straightforward manner: 

|r ^ r'l = |r] B |r'] |_L] = □ 

|r X r'l = |t] 0 |t'1 |r U r'] = |r] M [r'] 

|k1 = E 

Clearly, the semantics |t] of a ^ ^ . r is a semantic type. 

4.2 Subtyping Relation 

The sub typing relation <: is defined inductively. The subtyping rules are given in 
Fig. 2. Note that the rules are almost syntax-directed: the conclusions of the rules 
are disjoint, except in the case of rules Union-Right-1 and Union-Right-2. 



Function 

Ti <: t[ T2 <: T2 
T2 n <: T2 ^ t[ 

Union-Left 

T <\ T T <: T 

T~i ^ // 

TUT <: r 



Pair 

Ti <: t[ T2 <: T2 
n X T2 <: t[ X T2 

Union-Right-1 
X<-T 
X <: T U r' 

Fig. 2. Subtyping Rules 



Constant Bottom 

K <: K _L <: T 

Union-Right-2 
X <: t' 

X <: r U t' 



4.3 Soundness of the Subtyping Relation 

The soundness of the subtyping relation is straightforward. 

Theorem 12 (Soundness). , r <: t', ^ |r] C |r'] 

^ ^ , By induction on a derivation of r <: rb 

— Rule Function: by covariance and contravariance of the operation EEH. 

— Rule Pair: by covariance of the operation [XI- 

— Rule Constant: immediate. 

— Rule Bottom: the semantic type QI] is the least semantic type. 

— Rule Union-Left: by induction hypothesis, |t| U |r'l C |r"|; hence, as It"! 
is closed, Irl O [r'l = [rl U [r'l C |r"l. 

— Rule Union-Right- 1: |r] C |r] O |r']. 

— Rule Union-Right-2: |t'] C |r] O |t']. □ 
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4.4 Properties of Constructed Types 

Before proving the completeness of the subtyping relation <:, we first state some 
interesting properties of the semantics of constructed types. 

"^(Ixl) , . , , , - ' X 

, , , . X 't']) 

^(Ixl) , - 

These two lemmas are illustrated below, respectively for function types, pair 
types and constant types. Values are underlined. The value just above diverge 
is included in all constructed types of the corresponding kind. Given two values 
in V(|x]), one of their upper bounds in V(|x]) is given. 



K 



diverge 



diverge diverge 

4.5 Completeness of the Subtyping Relation 

We now have all the elements to prove the completeness of the subtyping relation. 

Theorem 15. , |r] C |r'] //,,.■ , , r <: r' 

Corollary 16 (Completeness). , M C |t'1 ^ T <:t' 

At several points in the proof of completeness, we need to prove an inclusion 
[ti1 C |t(] assuming that an inclusion between the semantics of two types built 
from Ti and (for instance, |ri x T2] C |t( x T2]) holds. The proof is similar 
in each case. Let us call ^ ^ ^ function F from types 

to types and a function / from terms to terms such that, for all types r and all 
terms e, e G |r] if and only if /(e) G |F(r)]. Then, it is easy to see that, if {F, /) 
is a typed transformation and |A(r)] C |F(t')], then |t] C |t']. We thus define 
three families of typed transformations. 

Lemma 17 (Typed Transformations). ,, . , 

(e, diverge) 

/2 : e 1 -^ (diverge, e) 

Xx.e 



Fi(t') : t t X t' 
F2{t') ■. t ^ t' X t 
F^\t') \ t ^ t' ^ t 



Xx.{e\ U 62) 

I 

(Ax.ei) U (Ax. 62 ) 

Ax. Cl Ax . 62 

Ax. diverge 



((ei U 62), (ei U 62)) 

I 

(ei,e'i) U (62,62) 

(ei,e() (62,62) 

(diverge, diverge) 



Lemma 13 (Homogeneity). 

, V(Ir' ^ rl) , , ,, 

, ■ , , X , , , , , , , 



Lemma 14 (Directed Set). 
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, , . ( . , , ) We interpret the semantics of types in the calculus de- 

fined in Sect. 3 . In order to handle the contravariance of the function type, we 
simultaneously prove by induction on r and r' that if |r] C |r'] then t <: r', 
and if | r '] C |t] then r ' <: r. For each pair of type r and t', we prove that if 
I^l C |t'], then there exists a subtyping rule whose conclusion is r <: r' and 
whose premises are a consequence of the induction hypothesis. 

~ Case |_L] C |r]. By rule Bottom, we have _L <: t. 

— Case |r U r'] C |r"]. This implies |t] C |t"] and |r'] C |r"]. Hence, by 
induction hypothesis, r <: t" and r' <: t" . Finally, by rule Union-Left, 
T U t' <: t" . 

— Case lx] C |_L]. By lemma 6 (Least Semantic Type), the set |T] does not 
contain any value. By Lemma 14 (Directed Set), |xl contains at least one 
value. Thus, this case is not possible. 

— Case Ixl C |r U t'] . This is a direct corollary of Lemmas 14 (Directed Set) 
and 8 (Prime when Directed). 

— Case Ixl C lx'] where x and x' are distinct constructed types. By Lemmas 14 
(Directed Set) and 13 (Homogeneity), constructed types all contain at least 
a value, and their values are homogeneous. Hence, |x| contains a value which 
is not in |x'|. This case is not possible. 

— Case |t 2 ^ n] C |t4 ^ ts]. We prove that |ri| C |t 3| and |t4| C |t 2|. This 
allow us to conclude by induction hypothesis and rule Function. 

The inclusion |n| C [ts] is a direct consequence of Lemma 17 (Typed Trans- 
formations) . 

Let us prove that |t4| C |t 2|. It is sufficient to show that |t2|‘'‘ C |t 4|-*-. 
Let c in |t 2|^. By Lemma 11 (Context as Function), (c) S |t2| |ti| = 
[t 2 ^ Ti| c |t 4 ^ Ts] = |t4| B |t 3|. Hence, by this lemma again, c G |t4|-‘-. 

— Case |tiXT 2| C |r3Xr4|. By Lemma 17 (Typed Transformations), |ti| C |t3| 

and |t2| C |t 4| . We conclude by induction and rule Pair. □ 

The proof of the completeness theorem actually leaded us to use an orthog- 
onality relation to define types. Indeed, for completeness to hold, we must have 
that, if Ti ^ r <: T2 ^ T, then ti <: t \. This means that, if a term e has type T2 
but not type ti, then there must exist a function e' of type ti— > r but not T2 ^t. 
Given that the term e has type T2 , a natural way to prove that the function e' 
does not have type T2 ^ t is to show that the term e' e does not have type t. 
So, now, for any term e of type T2 but not Ti, we must be able to find a function 
of type Ti ^ T such that the term e' e does not have type t. This must hold for 
any type T2, so the assumption that the term e has type T2 does not really put 
any constraint on the term e and it is natural to drop it. So, finally, we would 
like that if a term e does not have type t\, then there is a function e' of type 
Ti ^ r such that e' e does not have type r. In other words, if e ^ |ti|, then there 
exists a function e' G such that e and e' are not orthogonal. That is, if a 

term is orthogonal to all functions in Iti]^'^", then it should have type |ti|: the 
set |ti| must be closed. 

A noteworthy point in this discussion is that if r is not a subtype of r', then 
it is unsafe to apply a function accepting terms of type t' to a term of type r. 
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Lemma 18. 

' , e 



1^1 




e' e JJ. error 



5 Related Work 

This work is a continuation of our work with Mellies on semantic types [4, 3] . 
These two papers focus on defining types, especially recursive types, as set of 
terms, while we study here the subtyping relation induced by these definitions. 

Defining the semantics of types as closed sets of terms is very natural. For 
instance, in domain theory, types can be interpreted as . [7], that is, sets 

that are downward closed and closed under directed limits. . , , f ^ . 

[5] are also closed sets of terms. Girard [8] reformulates the candidates as 
sets of terms closed by biorthogonality in his proof of cut elimination for lin- 
ear logic. Meanwhile, Krivine [9, 10] has developed a comprehensive framework 
based on orthogonality, in order to analyze types as ^ , , of terms. In 

semantics, Pitts [11] uses relations closed by biorthogonality to study parametric 
polymorphism in an operational setting. 

Damm [1] studies subtyping for a deterministic calculus with recursive types 
with union and intersection. He takes a domain theoretic approach based on the 
ideal model [7]. A subtyping algorithm is specified by encoding types into tree 
automata and defining the subtyping relation as the inclusion of the recognized 
languages. The soundness and completeness of this algorithm with respect to 
the semantics of types is proven. 

Frisch, Castagna and Benzaken [12] use an approach similar to ours to design 
a subtyping relation for a typed calculus with union and intersection types. They 
want to define the subtyping relation of this calculus in a semantic way, as the 
inclusion of the denotation of types. But their calculus is typed, so its semantics 
depends on the subtyping relation. In order to get rid of this circularity, they 
consider a class of calculi (called , ^ While we try to describe as large a 

class as possible, the authors design a class such that the subtyping relation has 
good properties (for instance, distributivity of union and intersection). 



6 Extensions and Future Work 

^ ^ - ' ,111 II In an extended version of the paper [2] , 

we present a refined type system with ML-style polymorphism and type construc- 
tors and we similarly prove its soundness and completeness. This is omitted here 
for lack of space. 



^ ^ ^ r ^ The type system presented here is not as 

rich as the type systems of XDuce [13] and CDuce [12] for two reasons. First, 
for the sake of simplicity, we have not considered recursive types. In previous 
work [4,3], we have developed some tools to deal with them. Second, we deal 
with a very large class of calculi, in which some subtyping assertions such as 
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(ti U T2) X t <: (ti X t) U (t2 x r) do not hold (as hinted in the introduction). 
We would need to reduce the class of calculi to get a coarser subtyping relation. 

, ^ Intersection types are harder to handle than union types. 

The natural semantics for intersection types is set intersection: 

£ o £' = £ n £' . 

Then, it is clear that the dual of the subtyping rules for union types are 
sound. But there are other sound subtyping rules. For instance, we have (ti x 
T's) n (t2 X T4) <: (ti n T2) X (t3 n T4) . Another issue is that the distributivity law 
(ti U T2) n r = (ti n t) U (t 2 n T2) does not hold in general. Thus, it is not clear 
how union and intersection interact as far as subtyping is concerned. 
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Abstract. It is well known that in an o-minimal hybrid system the 
continuous and discrete components can be separated, and therefore the 
problem of hnite bisimulation reduces to the same problem for a tran- 
sition system associated with a continuous dynamical system. It was 
recently proved by several authors that under certain natural assump- 
tions such finite bisimulation exists. In the paper we consider o-minimal 
systems defined by Pfafiian functions, either implicitly (via triangular 
systems of ordinary differential equations) or explicitly (by means of 
semi-Pfaffian maps). We give explicit upper bounds on the sizes of bisim- 
ulations as functions of formats of initial dynamical systems. We also 
suggest an algorithm with an elementary (doubly-exponential) upper 
complexity bound for computing finite bisimulations of these systems. 



Introduction 

We assume that the reader is familiar with the motivation and basic concepts of 
the theory of hybrid systems. This material can be found in collection of papers 
[7]. The more recent accounts are (not exclusively) [8,3,9]. 

Recall that in certain natural cases continuous and discrete components of 
a hybrid system can be separated. Moreover, the continuous component allows 
finite . ^ ^ ^ , thus reducing the decidability questions for the original sys- 

tem to similar questions for a finite system. An important example having this 
property is the class of ^ ^ , hybrid systems, introduced in [9]. The main 

result of [9] is that under certain natural assumptions, o-minimal systems allow 
finite bisimulations. This statement was generalized in [3], where a convenient 
and elementary technique was developed, based on encoding of trajectories of 
o-minimal dynamical systems in partitioned spaces by means of words in finite 
alphabets. The elements of bisimulations are then encoded by . ^ . words. 

In the present paper we use the technique of [3] to obtain some quantitative 
versions of the finite bisimulation theorems. We introduce , ^ ^ ^ 

, ^ which essentially reduce to , / - ' , ■ ■•/'/■/ defined by means 

of equations and inequalities involving , , - , / / / ■ latter are real 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 430-441, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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analytic functions satisfying triangular systems of first order partial differential 
equations with polynomial coefficients. They include polynomials, real algebraic 
functions, and all major transcendental functions in appropriate domains. Pfaf- 
fian functions form the broadest natural class of real analytic functions for whose 
elements the ^ or,^ , can be adequately assigned. The concept of the for- 
mat can be extended to sets in K" and to maps definable using Pfaffian functions. 

We consider dynamical systems defined by Pfaffian functions, either implic- 
itly (via triangular systems of ordinary differential equations) or explicitly (by 
means of semi-Pfaffian maps). We give explicit upper bounds on the sizes of 
bisimulations as functions of formats of initial dynamical systems. We also sug- 
gest an algorithm with an elementary (doubly-exponential) upper complexity 
bound for computing finite bisimulations of these systems. 

More precisely, the outline of the paper is as follows. In Section 1 we sum- 
marize some well-known definitions and results about hybrid systems closely 
following [3,9]. We also recall the (1^ , , - , ' technique from [3]. 

Section 2 presents a brief digest of Pfaffian functions, upper bounds on topolog- 
ical complexities of semi- and sub-Pfaffian sets, and algorithms for computing 
their closures and cylindrical cell decompositions. In Section 3 two types of dy- 
namical systems defined using Pfaffian functions are introduced. In Section 4 we 
consider dynamical systems determined by triangular systems of ordinary differ- 
ential equations, and prove an upper bound on the size of its bisimulation (note 
that such systems may not be o-minimal in the sense of [3, 9]). In Section 5 we 
solve the similar problem for dynamical systems defined by explicit semi-Pfaffian 
maps. Finally, in Section 6 we propose an algorithm (with the usual for Pfaffian 
functions theory oracle) which actually computes a finite bisimulation for dy- 
namical systems defined in Section 5. The complexity of the algorithm is doubly 
exponential in the format of the input system. 

1 Transition Systems and Dynamical Systems 

In [3, 9] it is explained how some central problems in the theory of o-minimal 
hybrid systems can be reduced to bisimulations of transition systems associated 
to o-minimal dynamical systems. 

The exposition in this section closely follows [3] . The first group of definitions 
describes transition systems and bisimulations between the transition systems. 

Definition 1 . Q , ^ ^ ^ ^ , > i i i i Q i 

' ,, Q set of states, ^ transition, 

. T := (Q,^) transition system 

Definition 2 . . ^ ^ . T'2 := (Q2, ^2) 

simulation of Ti by T2 ^ ^ . , , , ~ C Qi x Q2 , 

• Vgi G Qi 3 q 2 G Q 2 {qi ~ 92) 

• yqi,q[ G QiVg2 G Q 23 q 2 {{qi ~ 92 A gi ^ q[) {q[ ~ A 92 ^ ^2)) 
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Definition 3. bisimulation between two transition systems T\ := 
and T2 := (Q2J — *'2) , , . < / / ^ ^ ^ i - ^1 ' "^2 , 

reciprocal relation ~“b= {(g2,<?i) & Q2 x Qi\qi ~ 92} , , . . , , , . T2 . ^ 

Ti 



Definition 4. , , ^ , 

bisimulation on T 


'' ■ 




Definition 5. ~ , , 


T={Q,^) , 




> Q ^ 


,, ,■ Q 


^ bisimulation with 


respect to P , . P G P 


* ' f 





In this paper we are concerned with estimating cardinality and computing 
bisimulations in the sense of Definition 5. We now give some definitions concern- 
ing dynamical systems. 



Definition 6. 

system 



Gi C - G2 C 



7:Gix(-1,1)^G2. 



, , 1 ,, , \ , 

X G Gi ^ 

Gx = {y|3t G (-1, 1) ( 7 (x, t) = y)} C G 2 



dynamical 

R 



trajectory . , ^ , x, ^ . 

= {(t,y)| 7 (x,t) = y} C (-1, 1) X G 2 



integral curve . , ^ . x 



Definition 7. transition system T.y = (Q, ,,, - , , 

, ■ "I" , - , - , u>>> , 

• Q:=G2, , . 

• yi ^ y2,, yi,y2 & Q . - 

3x G Gi3ti, t 2 G (-1, 1)((G < t 2 ) A ( 7 (x, ti) = yi) A ( 7 (x, ^ 2 ) = y 2 ))- 

We now introduce, following [3], a technique of encoding trajectories of dy- 
namical systems by words. Let V := {Pi, . . . , P^} be a finite partition of 7 (Gi x 
(—1,1)) definable in the o-minimal struicture. Fix x G Gi. Define the set of 
points and open intervals in R: 

Px := |A| / is a point or an interval in (—1, 1) maximal w.r.t. inclusion for the 
property 3t G {1, . . . , s}Vt G I ( 7 (x, t) G Pi)}. 

Let the cardinality |Px| = r and y\ <■■■< yr he the set of representatives 
of Px such that y(x, yj) G Pq-. Then define the word uj := Pi^ ■ ■ ■ Pi^ in alphabet 
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V ■ Informally, ui is the list of names of elements of the partition in the order 
they are visited by trajectory 

Let y G Fy. Then y G Pi^ for some 1 < j < r, where Pi^ is a letter in uj. We 
represent the location of y on trajectory Fy by the _ ^ _ word 

U! := Pi^ ■ ■ ■ Pi. ■ ■ ■ Pi^. 

It will be convenient to use the operation 

undot(w) = u! := Pi^-- ■ Pi. ■ ■ ■ Pi^. 

In the sequel we will always assume that a dynamical systems 7 is injective. In 
this case there is a unique dotted word associated to a given y G 7(Gi x (—1, 1)). 
Introduce sets of words I? := {uj\ x G Gi}, 17 := {w| x G Gi}. 

The following statement is an easy consequence of o-minimality. 

Lemma 1. [3] ^ ^ , 

An obvious (purely combinatorial) corollary is that 17 is also finite. 

Definition 8. ^ ^ - , ,•,>>, , 

• Q:=ti . 

• uji ^ L 02 ,, wi,W2 G Q . ^ ^ ^ . uj\ = UJ2 , - , , , 

( , ■ ) 

Theorem 1. [3] i • i • > 1 ' 1 • ^ ■ ■ 1 - 




^ ^ To prove the theorem one first shows that is a bisimulation of T^, and 
then considers the following equivalence relation ~ on G2: yi ~ y2 iff for respec- 
tive pre-images (xi, ti), (x2, ^2), the locations of yi,y2 on trajectories Fxi,Fx2 
are described by the same dotted word uj. Then ~ is the required bisimulation 
(see details in [ 3 ]). 



2 PfafRan Functions and Related Sets 

This section is a digest of the theory of Pfaffian functions and sets definable with 
Pfaffian functions. The detailed exposition can be found in the survey [ 4 ]. 



Definition 9. 

GcK’ 



Pfaffian chain 



r > 0 . . , a > 1 

^ , G, 



dxi 



gy(x,/i(x),...,/,-(x)) 



( 1 ) 
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1 < j < r-, 1 < z < n gij{x,yi,...,yj) , x = 

(xi,...,Xn),yi,...,yj , , - , , , , i - , ' a 

/(x) = P(x,/i(x),...,/^(x)), 

P{^,yi,---,yr) , , , , - ^ , , ' - , ^ > 1, , 

Pfaffian function ^ ^ - r ^ , (a, (3) 

Apart from polynomials, the class of Pfaffian functions includes real algebraic 
functions, exponentials, logarithms, trigonometric functions, their compositions, 
and other major transcendental functions in appropriate domains (see [4]). 



Definition 10. 


A C K” 


1 > > ■ 


semi-Pfaffian ^ ^ 


, - , ■ , G C K” 


* t t t i t t * i i 


G 


^ /■ r 


^ i i ^ 1 1 ' ' 1 


II 1*11' 1 ' 




/ ‘i f = 


0,5 > 0, 


f,9 


1*1 III ! ' 


i • • i i ' i 


> 1 1 


, G 
G ‘ 


i • ' i i 


X ^ restricted in G 


Definition 11. 


A c K” 


1 ’ 


sub-Pfaffian 


, - , ■ , G c R” 



In the sequel we will be dealing with the following subclass of sub-Pfaffian 
sets. 



Definition 12. , , , , - o / - [— ^ ^ ^ ^ ^ 

]^m+n ‘ ‘ ‘ ^ . ]gm+n ^ Rn ‘ ‘ ‘ Y CL [-1,1]” 

= <X) ,, , ' ' ' 

A C [-1,1]’”+” 

Note that a restricted sub-Pfaffian set need not be semi-Pfaffian. 

Definition 13. , , , , , , . , , 

A:= y {xGR*|/,i = --- = /i/,,5*i >0,...,g.j, >0}CG, (2) 

l<i<M 

fij ! 9ij . I ‘ I III I ■■ I I ‘ I I I ‘ I - ^ I - 

. , (a,/3), . ^ ^ ^ ^ ■ I ^ I foraiat ^ , (r,N,a,(3,s), 

X > J2l<i<Mi^i + I s = TO + n,- . ,, FCK” 

Y = 7t(A), ^ format ^ , , X 

We will refer to the representation of a semi-Pfaffian set in the form (2) as 

to - , • , ! ! ■ > ■! ■ ( )■ 

In this paper we are concerned with upper bounds on sizes of bisimu- 
lations and complexities of computations, as functions of the format. In the case 
of Pfaffian dynamical systems these sizes and complexities also depend on the 
domain G. So far our definitions imposed no restrictions on an open set G, thus 
allowing it to by arbitrarily complex and induce this complexity on the corre- 
sponding semi- and sub-Pfaffian sets. To avoid this we will always assume in the 
context of Pfaffian dynamical systems that G is “simple”, like M”, or (—1, 1)". 
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Theorem 2. [6, 11] , , , , _ , , , , , X C G C M", G , 

, , - , ■ {r,N,a,(3,n) 

^ - ^ 

^„2’'('-i)/20(n/3 + min{n, r}a)"+G 

In this paper we examine complexities of algorithms for computing bisimula- 
tions. In order to estimate the “efficiency” of a computation we need to specify 
more precisely a , ^ ^ ^ ^ ^ . As such we use a / , • , • , 

which is an analogy of a classical Turing machine but allows the exact arithmetic 
and comparisons on real numbers. Since we are interested only in upper complex- 
ity bounds for algorithms, we have no need in a formal definition of this model 
of computation (it can be found in [2]). In some of our computational prob- 
lems we will need to modify the standard real numbers machine by equipping 
it with an ^ , for deciding feasibility of any system of Pfaffian equations and 

inequalities. An oracle is a subroutine which can be used by a given algorithm 
any time the latter needs to check feasibility. We assume that this procedure 
always gives a correct answer ( “true” or “false” ) though we do not specify how 
it actually works. An , . , ' , of a real numbers machine is either an 

arithmetic operation, or a comparison (branching) operation, or an oracle call. 
The ^ / of a real numbers machine is the number of elementary steps it 

makes in worst case until termination, as a function of the format of the input. 

Now we define cylindrical decompositions of semi- and sub-Pfaffian sets. 

Definition 14. Cylindrical cell ^ [— 1,1]" ^ ^ ^ , 

, , [-1,1]” - , , 

, , [-1,1] (a,5)c[-l,l] 

n>2^.0</c<n ,(A:-bl) ,, , [-1, 1]" 

‘ f ■■ C ‘ G , . 

(k + i) [-i,i]”-\‘ 

{{xi,...,Xn) G [-1,1]”! {xi,...,Xn-i) G G and 
/(xi, . . . ,X„_i) <Xn < g(xi,. . . ,X„_i)}, 

c , , fc ,, , [-1,1]"-!, ^ ^ f,g ■. C ^ [-1,1] 

, , , , , ■ , , - - . , , , , , , Xn-l) < g{xi, Xn-l) 

, {Xl, ■ . ■ ,X„_i) G G 

Definition 15. Cylindrical cell decomposition T> ^ ^ Ac [—1,1]" ^ 



n = 1 T> ,, 

. n > 2, , ^ , , . , 

[- 1 , 1 ]” ,/ , - 

7t(A) ^ 7t(G) , , ,, ,, 
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Definition 16. B C A C [—1, 1]" , - 21 . ^ ^ ^ ^ ^ ^ ^ ^ 

^ , A , 2? ^ compatible ^ • -i ,'CgI? C C B ^ 

‘CDB = ii)( ',,, , V CV ‘ ,, ,, ,-B) 

Definition 17. ^ . , , . , /i, ■ • ■ , /w , . . , . , , , , fi , 

G - consistent sign assignment 

{x G G I /ii = • • • = = 0, > 0 . . . , > 0, < 0, . . . , /i„ < 0}, 

Theorem 3. [5, 10] /i, . . . , /at . , , , , , , , , 

^ G C K®, G D [-1,1]" , . . , , , . , - r, 

, - - (o:,P) , , , 

V, - , . - [-1,1]* 

/i, ■•■, /a? , , • > , , / / - / 



(a + /32V) 



j,0(n)20(n2) 



3 PfafRan Dynamical Systems 

Definition 18. triangular system of ordinary differential equations ^ ^ _ 

x = f(t,x), (3) 

xGM", , - f f = (/i,...,/„) 

/* G M[t,Xi,X2, 

. ' 1 < / < n , , . ( ) initial conditions (to,Xn), 

to € (-1,1) , , ‘ , ,, V- (-1,1) 

dip/dt = i{t,(p) ,, tG(-l,l) p{to) = yio 

From the Definition 9 it follows that any solution of (3) is a vector of Pfaffian 
functions in the common domain (—1, 1). 

To any system (3) we can relate a dynamical system 7 : G x (— 1, 1) ^ G, 
where G = /i x • • • x and It is an open interval (possibly unbounded) for all 
1 < i < n. More precisely, assume that for any x G G the system has a solution 
p with initial conditions (x, 0). Then y(x, t) := p(t). 

Along with the dynamical systems associated with triangular systems of the 
kind (3) we will consider , , - ' , ■ > , ' , ■ , defined as follows. 

Definition 19. , 

7:Gx (-1,1)^G, 

G M” , . 7 ^ ^ , , , . . , - 

Pfaffian dynamical system 
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Observe that the dynamical system 7 associated with (3) may not 
be a Pfafiian dynamical system in the sense of the last definition since 7 , being 
a Pfaffian vector-function for any fixed x, is not necessarily a Pfaffian map for 
variable x. 



4 Bisimulations of Dynamical Systems Associated with a 
Differential Equation 

Let in the system (3) the degree deg(/i) < a for any \ < i < n and the 
associated dynamical system 7 be bijective. Let T = (G,^) be the transition 
system associated with 7 . Consider a partition V := {Pi, . . . , Pg} of G into s 
semi-Pfaffian sets Pj each having the format (r, N, a, (3, n). Let m := maxjn, r}, 
M := maxjn, N}. 

Theorem 4. ^ • 



^ ^ , We use the notations and arguments of Section 1. First we estimate the 
length ^ of the word u> for any x G G. Fix x. Since t coincides with the total 
number of connected components of intersections 

P] n Tx = {y|3t G (-l,l)(y = 7 (x,t) Ay G Pj)} 

for all 1 < J < s. The semi-Pfaffian set Pj := {(y,t)|y = 7 (x,t) A y G Pj} 
has the format {m, M,a, (3,n), thus according to Theorem 2 the number of its 
connected components does not exceed 

Since Pj C Tx is the projection of Pj along t, the number of all connected 
components of PjOPx is also less or equal to L, and the total number of connected 
components for all 1 < j < s does not exceed sL. Since the number of distinct 
letters in any word w is at most s, the number of all words in the set 17 does 
not exceed (4). Then the cardinality of the set 17 of all dotted words also does 
not exceed (4). It remains to notice that due to Theorem 1, the finite transition 
system is a bisimulation of T. 



5 Bisimulations of Pfaffian Dynamical Systems 

Consider a bijective Pfaffian dynamical system 7 : G x (— 1, 1) ^ G, where 
G = (—1, 1)”, and a partition V := {Pi, . . . , Pg} of G into s semi-Pfaffian sets 
Pj. Let the graph of 7 and each set Pj have the format {r,N,a,f3,n), and all 
Pfaffian functions involved have the common Pfaffian chain. 
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Theorem 5. ^ • , • > , , , , ^ 



( 5 ) 



^ , A straightforward adjustment of the proof of Theorem 4. 

Using the Pfaffian dependence on x in the case of a Pfaffian dynamical sys- 
tem we obtain another upper bound on the size of the bisimulation which is 
asymptotically better in general than the bound in Theorem 5 (except the case 
when n is significantly larger than the rest of the parameters). 

Theorem 6. ^ 



^ ^ , Consider the family of Pfaffian functions in the domain 

G X (-1,1) X G 

consisting of all functions in variables x, t, y involved in the defining formulae for 
the graph of the map 7 : (x, t) ^ y, and for all sets Pj considered in the latter 
case as functions in variables y. According to Theorem 3, there is a cylindrical 
decomposition V for this family with respect to (x, t, y), consisting of at most (6) 
cylindrical cells. By the definition of cylindrical decomposition, T> induces the 
cylindrical decomposition on G (equipped with coordinates x) which we denote 
by S. 

We claim that for any cell G G £ and any two points xi,X2 G G the trajec- 
tories Uxi, Ax2 G G are intersecting sets Pi,. .. ,Pg in the same order (i.e., are 
encoded by the same word from 1?). Indeed, let tt : G x (— 1, 1) x G ^ G be the 
projection on G with coordinates x. Decomposition T> induces cylindrical decom- 
positions T>i and T >2 on 7r“^(xi) and 7t“^(x2) respectively. In particular, each 
of the integral curves Uxi and Ux2 is decomposed into a sequence of alternating 
points and open intervals. Due to basic properties of a cylindrical decomposition, 
there is a natural bijection ip : T>i ^ T >2 such that 

(i) the restriction of ip to the set of all cells in Uxi is a bijection onto the set of 
all cells in Uxj ; 

(ii) for each 1 < j < s the restriction of ip to the set of all cells in (—1, 1) x Pj C 
7r“^(xi) is a bijection onto the set of all cells in (—1, 1) x Pj C 7t”^(x2). 

It follows that if a cell B G T>i and B C Gxi D ((—1,1) x Pj) for some 
1 < J < s, then ip{B) C Uxa ((—1, 1) x Pj). The claim is proved. 

It follows that the cardinality of 17 does not exceed the cardinality of £ which 
does not exceed the cardinality of T> which in turn is at most (6). Therefore, the 
cardinality of 17 does not exceed (6), and the theorem is proved. 
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6 Computing Bisimulations 

In this section we introduce an algorithm for computing finite bisimulations 
described in Theorem 6. It is sufficient to construct the set of dotted words fl 
corresponding to the bijective Pfaffian dynamical system 7 : Gx (—1,1) ^ G 
(with G = (—1,1)") and a partition V := {Pi, . . . , Pg}- Since 17 is trivially 
obtained from the set 17, we will be constructing the latter set. 

The algorithm applies the procedure from Theorem 3 to the family of Pfaffian 
functions consisting of all functions in variables x,t,y involved in the defining 
formulae for the graph of the map 7 : (x, t) y, and for all sets Pj considered 
in the latter case as functions in variables y. As a result, the algorithm produces 
a cell decomposition T> which induces the cell decomposition S (see the proof 
of Theorem 6). Using the oracle, the algorithm selects the cells from T> which 
are subsets of {(x, t,y)|y = 7(x, t}. Denote the set of the selected cells by B. 
Observe that for any fixed x' S G the set UseB n {x| x = x'} coincides with 
the integral curve Tx • Then the algorithm determines the order in which the 
cells B G B intersected with {x| x = x'} appear in the trajectory P^ ■ 

More precisely, for each pair of distinct cells , i?2 & B the algorithm decides, 
using the oracle, whether 



3x3ti3t23yi3y2 ((x,ti,yi) G Bi A (x,0,y2) G B2 A {h < O))- 



For a given C G £, after all pairs of cells are processed we get the ordered 
set of cells B\, . . . ,Bk in T> such that for any 1 < i < fc and any x' G C the 
sequence of points and intervals 

Bi n {x| X = x'}, . . . , Bfc n {x| X = x'} 

forms the integral curve Tx . By the definition of the cylindrical decomposition, 
for any pair Bi, Pj either Bi C {G x (—1, 1) x Pj) or i?* n (G x (—1, 1) x Pj) = 0. 
The algorithm uses the oracle to decide for every pair which of these two cases 
takes place. As the result, the sequence Bi,...,Bk becomes partitioned into 
subsequences of the kind 

{Bi, . . . , B}^-^ ) , {^Bj^-^j^i, . . . , B}^^ ),..., {Bf„^ , . . . , Bf^) , 

where for any i, 0 < i < £ — 1, the cells Bki+i, ■ ■ ■ , Bk^^^ lie in G x (—1, 1) x Pj. 
for some ji, while flG x (—1, 1) x Pj. = 0 and nGx (—1, 1) x Pj. = 0. 

Then the word lo := Pj^ ■ ■ ■ Pj^ ^ corresponds to the cell G. Considering all cells 
in S the algorithm finds 17 and then 17. This completes the description of the 
construction of Tq. It remains to construct the bisimulation ~ on G. 

As it was explained in the proof of Theorem 1, for yi,y 2 G G we have 
yi ~ y2 iff for respective pre-images (xi,ti), (x2,t2)> the locations of yi,y 2 on 
trajectories Pxi,Px2 £^re described by the same dotted word. Fix a cell G G £. 
To all points x e G correspond the trajectories Px encoded by the same word, 
say u := Pig - • • Pig - ■ ■ Pie i- Consider a dotted word uj := Pig • • ■ Pig ■ ■ ■ Pie 1 • 
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Then all points y G Tx (for various x € C) whose locations are described by oj 
form the set 

:= {y G G| 3x G C Bt ((x, t, y) G (Bfc,+i U • • • U J)}. 

Notice that is a sub-Pfaffian set with components of the format not 

exceeding (6). The equivalence relation ~ is now defined by the partition 

G= \J A^, 

into disjoint classes 

A^ := y A^(C). 
cgs 

This completes the description of the algorithm. 

A straightforward analysis shows that the complexity of the algorithm does 
not exceed (6), taking into account the bounds from Theorem 3. 



7 Future Research 

Observe that upper bounds from Theorems 5 and 6 on the size of bisimulations 
are . ^ ^ ^ ^ fon some parameters of the format of the original dynamical 

system. It looks feasible that there exists a ^ ^ , / upper bound. 

The proof would require avoiding cylindrical cell decomposition technique which 
is intrinsically doubly exponential. Instead, it could use ideas related to those 
employed in effective quantifier elimination over real closed fields (see, e.g., [1]) 
and in recent upper bounds on topological complexity of definable sets [6] . 
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Abstract. A CPS translation is a syntactic translation of programs, 
which is useful for describing their operational behavior. By iterating the 
standard call-by-value CPS translation, Danvy and Filinski discovered 
the CPS hierarchy and proposed a family of control operators, shift and 
reset, that make it possible to capture successive delimited continuations 
in a CPS hierarchy. 

Although shift and reset have found their applications in several ar- 
eas such as partial evaluation, most studies in the literature have been 
devoted to the base level of the hierarchy, namely, to level- 1 shift and re- 
set. In this article, we investigate the whole family of shift and reset. We 
give a simple calculus with level-n shift and level-n reset for an arbitrary 
n > 0. We then give a set of equational axioms for them, and prove that 
these axioms are sound and complete with respect to the CPS transla- 
tion. The resulting set of axioms is concise and a natural extension of 
those for level-1 shift and reset. 

Keywords: CPS Translations, Control Operators, Delimited Continua- 
tions, Axiomatization, Type System. 



1 Introduction 

A CPS translation transforms a source term into continuation-passing style (CPS 
for short). It can be regarded as a compilation step, since it makes explicit the 
evaluation order of the source program and gives names to intermediate re- 
sults. Another motivating fact for CPS is that it makes it possible to represent 
various control mechanisms, such as callcc in Scheme and Standard ML of 
New Jersey, that give programmers first-class continuations in the source lan- 
guage. 

Logically, a CPS translation for the simply typed lambda calculus is a double 
negation interpretation from classical logic into minimal logic, or Friedman’s 
A-translation [12]. The control mechanisms added to the source language can 
be also understood logically. For instance, Griffin [13] has revealed the Curry- 
Howard correspondence between the calculus with callcc and classical logic. 

Danvy and Filinski [7, 8] observed that there is room for a more refined 
control mechanism. By CPS translating the answer type of the standard CPS 

J. Marcinkowski and A. Tarlecki (Eds.): CSL 2004, LNCS 3210, pp. 442-457, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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translation, they obtained what they call a CPS hierarchy. Furthermore, they 
proposed a family of control operators shift and reset to abstract delimited 
continuations in this hierarchy. In the literature, many different control operators 
for delimited continuations have been proposed [10,14,15,16]. In contrast to 
these other control operators, shift and reset are solely defined in terms of the 
CPS translation. In addition, they have found applications in partial evaluation 
[19], one-pass CPS translations [8], and normalization by evaluation [4], as well 
as to represent layered monads [11] and mobile computation [24]. 

In this article, we study a theoretical foundation of the control operators in 
the CPS hierarchy. Specifically, we address the problem of finding direct-style 
axioms for them. While these operators are used in many applications and their 
semantics is given by a CPS translation (be it iterated or extended), we often 
want to reason about source programs directly, rather than treating the image 
of CPS translations, since the CPS translation is sometimes said to obscure 
the overall structure of source programs. Also finding a good set of direct-style 
axioms could lead one to a better understanding of these operators. 

We give a simple set of axioms consisting of only three equations for shift 
and three equations for reset, and then prove that this set of equations is sound 
and complete with respect to the iterated CPS translation. This work builds on 
our previous work, in which we gave a sound and complete axiomatization for 
level-1 shift and reset operators [18], and for level-2 [17]. Since completeness 
proofs of this kind often require quite a lot of calculations, we make the proof 
more structured by following an idea due to Sabry [22, 23] and reconstructing it 
in a type-theoretic setting, which further simplifies our proof. 

The rest of this article is organized as follows. In Section 2, we infor- 
mally introduce shift and reset and we explain their operational aspect. In 
Sections 3 and 4, we formally introduce the calculi with these control operators 
and a CPS translation for them. In Section 5 we present the axioms for control 
operators. In Section 6, we give a type-theoretic analysis of the CPS translation 
and we prove completeness. In Section 7, we conclude and mention future work. 

We assume that readers have some familiarity with CPS transla- 
tions. 



2 Control Operators in the CPS Hierarchy 

We introduce the shift and reset operators through some examples. 

2.1 A Simple Example 

The following example uses these operators in a simple way: 

3 -I- (4 * S{Xk. 5-1- (fc (fc 2)))) = let k be Ax. (4 * x) 

in 3 -I- (5 -I- (A: {k 2))) 

= 3 -k (5 -k (4 * (4 * 2))) 
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where (_) is the reset operator and S is the shift operator.^ Unlike the contin- 
uation captured by callcc, the continuation captured by S is not the whole 
rest of the computation (such as 3-1- (4 * [ ])), but a part which is delimited 
by a reset, that is, (4 * [ ]). Also it is not abortive, and thus we can compose 
the captured continuation with ordinary functions. When several occurrences of 
reset enclose an occurrence of shift, the (dynamically determined) closest one 
is chosen as the delimiter. 

As more substantial examples, we borrow the ones by Danvy and Filinski [7]. 

2.2 Nondeterminism 

A non-deterministic choice can be represented by backtracking in direct style 
using shift and reset: 

flip(x) = 5i(Ac. begin c(true); c(false); fail(_) end) 
fail(x) 5i(Ac. "no") 

choice(n) if n < 1 then fail(_) 

else if flip(_) then choice(n — 1) 
else n 

where _ is a dummy value, true, false are truth values, and begin- • • end is for 
sequencing. 

To understand these programs, we CPS translate these three functions as: 
f lip-c(a;, A:) = begin fc(true); A:(false); fail-c(_, fc) end 

f ail-c(a:, A:) "no" 

d&f 

choice-c(n. A:) = if n < 1 then fail-c(_, k) 

else flip-c(_, \y. if y then choice-c(n — 1,A:) 
else k{n)) 

Let us consider the program (display(choice(3)))i. It is CPS translated 
to the program choice-c(3, display), which will display 1, 2 and 3 in this 
order. It is easy to see that shift captures the current continuation, which 
is composable with functions (including other continuations), and that reset 
installs the identity continuation. 

2.3 Collecting Successive Results 

As a next step, one may wants to collect all answers generated by non-determin- 
istic choices. This is implemented by the function emit defined by: 

emit (n) 5i(Ac. cons(n, c(nil))) 

For instance, (begin emit(l); emit(2); emit(3) end) i will return a list (1 2 3). 



^ Danvy and Filinski used the notation ^k.M for S{Xk.M). 
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It is then natural to expect that a combined program (emit(ch.oice(3)))i 
would work. However it does not, since the control operators in the two programs 
interfere. To see this, let us CPS translate emit as: 

emit-c(n, fc) cons(n, /c(nil)) 

The term (emit(choice(3)))i is CPS translated to choice-c(3, Aa;.emit-c(x, 
Aa.a)), which will generate three lists (1), (2) and (3), but never collect these 
answers. 

A correct way of combining these programs is to make them , , . . The 

continuation captured in emit should be in a higher level than that captured in 
choice. To achieve this, the CPS counterpart of emit should be: 

emit-c2(n, fc, 7) = cons(n, 7(fc(nil))) 

where 7 is a level-2 continuation. Its direct-style counterpart is: 

emit-cl(n, fc) = fc(5i(Ac. cons(n, c(nil)))) 

which passes a continuation, even though it is not in CPS since the argument of 
k is not a trivial term. Its direct-style counterpart is: 

dGf 

emit(n) = 52(Ac. cons(n, c(nil))) 

This is the point where we need a level-2 control operator in the CPS hier- 
archy. Executing the term (emit(choice(3)))2 returns (1 2 3) as expected. 

2.4 Summary and Conclusion 

In summary, a direct-style program with level-2 control operators is CPS trans- 
lated to a 1-CPS program with level-1 control operators, which is then CPS 
translated to a 2-CPS program with no control operators. CPS translating this 
program yields a real CPS program where all calls are tail calls and all subterms 
are trivial. The family of layered control operators thus corresponds to the CPS 
hierarchy. 

A similar situation occurs when we perform partial evaluation of a program 
using shift/reset when the partial evaluator itself uses shift/reset. We refer 
to the reader to Asai’s recent work [1, 2]. 

3 The Calculi with Control Operators 

In this section, we define the language of our calculi, and postpone giving axioms 
until the next section. 

The calculus we choose here is a type-free lambda calculus with control oper- 
ators for delimited continuations. Later we briefly mention simply typed calculi. 
We consider the call-by-value evaluation order only. 
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We shall define calculi A5„ and XCn for a natural number n. The former is a 
calculus with shift/reset, and the latter a calculus with C/reset. The control 
operator C has a slightly different semantics as shift, which will be explained 
later. 

We first assume there are infinitely many variables (written x, y, z and so on). 
Terms of A5„ are type-free lambda terms augmented with control operators, and 
defined by: 

(terms) M,N ::= x \ Xx.M \ MN \ {M)i \ Si 

where 1 < i < n. Terms of AC„ are defined in the same way with Si being 
replaced by Cj. 

The index i denotes the level, which is conceptually the number of iterations 
of CPS translations that are necessary to interpret the control operator. The 
construct (_)i is level-i reset, and Si is shift. Note that Si (and Ci) is a con- 
stant rather than a constructor. We use the abbreviations: Sik.M = Si{Xk.M), 
Cik.M = Ci{Xk.M), and Ai = Xx.Ci(Xk.x). We also define (M)o = M. 

A value (written V) is either a variable, A-abstraction, or a constant (Si in 
XSn and Ci in XCn)- Variables are bound by A, and free and bound variables of 
terms are defined as usual. FV{M) denotes the set of free variables in M. We 
identify two terms which differ only in renaming of bound variables. M{x := N} 
is the result of the usual capture-avoiding substitution of N for x in M. 

Contexts and evaluation contexts are defined as follows: 

C::=[]\CM \ MC \ (C), 

E ■.■=[]] EM I VE I (E), 

A* ::=[]! E^M \ VE^ \ {E^)j for j < i 

E is an evaluation context in call by value, and A* is a level-i evaluation 
context in which the level of reset operators enclosing the hole must be equal 
to or smaller than i. For example, {x[ ])2 and {x[ ]) 2 {yz )3 are level-2 evaluation 
contexts. As a special case, E^ is an evaluation context in which no reset may 
enclose the hole. 

The operational semantics is given by the following rules (where f^EV {E^~^)): 
E[{V),] ^ E[V] 

E[{E^-^[S,V]),] ^ E[{V{Xf.{E^-^[f]),)),] 

The first rule says that delimiting a value does nothing. The second rule shows 
how the 5-operator works. It captures the continuation delimited by the (dy- 
namically determined) closest reset-operator, as the evaluation context E^~^ 
does not contain a level-j reset operator which encloses the hole. Note that the 
continuation captured by Sj is a function, whose body is enclosed by a level-j re- 
set operator. This is an essential difference between Danvy and Filinski’s shift 
operator and Felleisen’s control operator [10]. 

The rule above is only a special case of the general rule given below. As we 
explained before, the level of the corresponding reset operator can be higher than 
j. Therefore a general rule for the second line is (where j < i and / ^ EV (E^~^)): 
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E[{E^-^[S,V]),] ^ E[{V{Xf.{E^-^[f]),)).] 
The two operators Si and Ci are inter-definable: 



Si = \z.Ci{\k.z{\x.{kx)i)) 

Ci = Xz.Si{Xk.z{Xx.Si{\d.kx))) 

These equations are formally justified by the CPS translation in the next 
section. 



4 CPS Translation 

The CPS translation we consider is due to Danvy and Filinski [7]. It translates 
terms of the source calculi (A5„ or AC„) to the type-free lambda calculus without 
control operators. As we explained in the introduction, their CPS translation can 
be thought of as a standard CPS translation followed by n — 1 successive CPS 
translations of the answer type for n > 1. If we fix the number of iterations, then 
the whole translations can be expressed by a single, uncurried CPS translation, 
which we call an extended CPS translation. It takes n continuation parameters, 
each being introduced by the t-th CPS translation (for 1 < t < n). This extended 
CPS translation gives a precise semantics to the level-f control operators (for 
i < n). The n continuation parameters are represented by the variables ki, 
which we call a continuation variable of level i (for 1 < z < n) . 

For a fixed n, and given a term M and a value V in the source calculi, we 
define two translations [_] and which send a term and a value to terms of 
type-free lambda calculus. To avoid clutter we present a /^zy-reduced version. In 
the following we assume 1 < z < rz. 



[T] 




Xki. kiV* 








[MN] 


djd 


Xki. [M]{Xm 


,.[iV](An 


.mnki)) 




mh] 


djrf 


Xki . • • • 


• [M]0i 


■ ■ ■ 9i{Xx. 9oxkik2 • • • k 


i-l-l) 


* 


def 










X 


— 


X 








(Xx.M)* 


d^ 


Xx.[M] 








S,* 


djrf 


Xxki • ■ • ki- x 


{Xyk[ ■ ■ • 


K+i.9oykik2 • • • ki{Xz 


,9ozk[k2- ■ -k'i_^_i))9i- ■ -9i 


cr 


djrf 


Xxki ■ • • ki- x 


{Xyk [ • • • 


k[.9oykik2 • • • h)9i • • • 


9^ 


where 9i 


= 


Xxk^+i.k^+ix. 


. The term 6i can be thought 


of as the image of the 



identity continuation (the empty evaluation context [5]) of level i. 

Let us briefly explain the extended CPS translation. Terms and values with- 
out control operators are translated as usual. For the term {M)i, the reset oper- 
ator installs identity continuations up to level z, and composes all continuations 
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of up to level i with the continuation of level i + 1. The operator Ci captures 
the current continuation up to level i, which results in Xyk'^ ■ ■ • fc'. 002 /^ 1^2 ■ ■ ■ ki 
in this context, then applies it to the argument. It also installs instances of 
the identity continuation up to level i. The CPS translation of Si is slightly 
more complex, since it captures a non-abortive delimited continuation so that 
we should compose fci,--- , with the captured continuation. Note that the 
result of the extended CPS translation does not depend on n (if the result is 
defined) . 

We show a few examples of the extended CPS translation and /3?7-reductions 
in the target calculus: 

[C 2 (A/./a;)] = Xki.{Xki.kiC 2 *){Xm.{Xki.ki{Xf.fx)*){Xn.mnki)) 

^ Xk\ . k~\_x 

l{xy)2] = Xkik2ks. lxy]9i92{Xz. 9ozkik2kz) 

Xkik2k3- xy9i92{Xz. kizk2ks) 

The semantics of the target terms is given by the standard /^Ty-equality (the 
type-free lambda calculus with /3?7-equality will be denoted by X^rj.) Given a 
CPS translation and the target theory Xp^, the source calculus is given a rigid 
semantics (CPS semantics). The fundamental question addressed in this article 
is, what is the equality theory that coincides with this CPS semantics. We first 
give an answer to this question, and then prove it. 



5 Axioms of XS^ and XCn 

We give axioms for the theories A5„ and AC„. The common axioms for these 
theories are shown in Figure 1, the specific axioms for A5„ are in Figure 2, and 
the specific axioms for AC„ are in Figure 3. In the presentation of axioms, we 
assume the levels of all control operators are less than n, namely, 1 < i, j < n. For 
the purpose of comparison, we list the axioms for the base level control operators 
5i and (_)i in Figure 4 which were given in our joint work with Hasegawa [18]. 

Recall that if* is a level-i evaluation context, Sik.M = Si{Xk.M), Cik.M = 
Ci{Xk.M), and (M)o = M. The last abbreviation is used when i = 1 in reset-lift-2 
and others. (Note that i — 1 may be 0.) 

Let us explain Figure 1. The first three axioms (3y, r/y and f3f2 are those for 
Moggi’s computational lambda calculus, the canonical calculus in call-by-value 
[20]. The axiom reset- value is essentially the same as that in level-1 theory (Fig- 
ure 4). The axioms reset-lift and reset-lift-2 lift a /3-redex over a reset operator. 
The axiom can be applied to the level-0 evaluation context only, but with 
the help of these axioms we can lift a /3-redex over a general evaluation context . 
The axiom reset-lift is a natural extension of its level- 1 counterpart, while no 
counterpart of reset-lift-2 exists in level-1 axioms. The axiom may look strange 
since the index j appears only in the right-hand side. We may restrict j to i in 
reset-lift-2 in the presence of the axiom {{M)j)i = {M)i for j < i. 
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{Xx.M)V = M{x := V} 

Xx. Vx = V 
(Xx.E°[x])M = E^[M] 

{V)i = V 

{{Xx.M){N)i), = {Xx.{M)i){N)i 
{{Xx.M){N}i.i)i = {{Xx.{M)j){N}i.i)i 



Pv 

ri„, ifx<^FV{V) 
Pn, itx^FV{E°) 
reset- value 
reset-lift, j < i 
reset-lift-2, j < i 



Fig. 1. Common Axioms for XSn and AC„ (1 < i,j < n) 



Sik.{M)i = Sik.M 
Sik.k{M)i-i = 

{E^[Sik.M])i = {M{k := A/. {E^[f])i})i 



S-reset 

5-elim, if fc ^ FV{M) 

5-lift 

if A: ^ FV{E^), f ^ FV{kE^), and j < i 



Fig. 2. Specific Axioms for A5„ (1 < i,j < n) 



Cik.{M)i — Cik.M C-reset 

Cik.k{M)i-i = {M)i-i C-elim, if fc ^ FV{M) 

{E^[Cik.M])i = (M{k ~ A/. Ai{E^lf])i-i})i C-lift 

if k<^FV[E^), f^FV{kE^), and j<i 



Fig. 3. Specific Axioms for ACn (1 < i,j < n) 



Besides the common axioms, each theory has three specific axioms for Si or 
Ci- The axiom 5-reset is a natural extension of its level- 1 counterpart, while the 
axiom 5-elim is not quite the same as a natural extension of its level-1 coun- 
terpart. In fact, Sik.kN = N is not sound for z > 1. Danvy and Filinski [7] 
stated that the current formulation of shift/reset is not completely satisfac- 
tory since S 2 k.kN = N does not hold. However, by restricting N to {M)i, we 
have obtained a sound axiom. 

The last axiom 5-lift is a natural extension of its level- 1 counterpart (called 
reset-5 formerly).^ It is also a direct formulation of the operational semantics 
given in the earlier section, by changing reduction to equality. 

We believe that the resulting axioms are simple to understand, and the sound- 
ness of these axioms is not surprising. The completeness of AC„ may be surpris- 
ing, since one may think it lacks many important equations which were included 
in our axiomatization of C 2 [17], such as: 



^ 5-lift does not immediately subsume reset-5, since the latter allows an arbitrary M 
in S\M, while the former restricts it to be a function. However, this difference does 
not matter since we can prove SiM = Sik.Mk for k ^ FV{M) in A5„. 
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(Y)i = Y 

{iXx.M){N)i)i = {Xx.{M)i){N)i 
Sik.kM = M 
Sik.{M)i =Sik.M 
{E°[SiM])i = {M{Xx.{E°[x])i)}i 



reset-value 

reset-lift 

5-elim, if fc ^ EV{M) 
5-reset 

reset-5, if a: ^ EV{E°) 



Fig. 4. Axioms for Xg other than /3„, rjv, and [3(2 



{Cik.M)j = Cik.M 
{C,k.M)i = {M{k := A^})^ 
{Xx.Cik.M)N = Cik.{Xx.M)N 
CiM = Cik.Mk 



reset-reset 
reset-C, if j < z 
C-top 

let-Ci , if fc yf a; 

Ci-fun, if A: ^ FV{M) 



Another seemingly missing axiom is an equation for lifting Ci over an evalu- 
ation context such as E\Cik.M] = M{k := • • • }. In the next theorem we show 
that these equations are derivable. 

From now on, we will mainly investigate AC„. After proving its completeness, 
we will come back to A5„. 



Theorem 1. , , , , , , ^ ^ 

, U ' III - 'I 

I , I . fc I I I C , C 

C^k.C[E3[kV]]=Crk.C[kV] 

E^ [Cik.M] = Ciki. ■ ■■Cik,.M{k := N} 



. . Cl , . Cl , 
k\., ' ' ' ^ki^ f 



, . . j <i 

C . , . . j <i 

, , , .. 3 <i 



N , A/.fc,(fc,_i---(fci(S^'[/]))i---)i_i 



Proof. The equation reset-reset is obtained in this way. By putting M = x va 
reset-lift, we obtain {{N)i)j = {Xx.{x)j){N)i, and by reset-value and (3o, we 
obtain {{N)i)j = {N)i for j < i. Similarly by putting IV = cc in reset-lift-2, we 
obtain (M)j = {{M)j)i for j < i, hence we are done. 

The equation reset-C is obtained by putting E^ = [] and E^ = {[ ])j in C-lift 
and comparing the results. The equation C-top is obtained by putting E^ = [] 
in C-lift and using reset- value and rjy. 

For the remaining equations, we first derive by C-elim and C-reset: 

M = Ciki-kiM = Ciki.(^kiM')i = Ciki.C2k2-{k2{kiM')i')2 
Iterating this process z-times we obtain: 

M = Ciki.C2k2- ■ ■ ■Ciki.{ki ■ ■ ■ {k2{kiM)i)2 ■ ■ ■)i 
By this equation and C-lift, we obtain the following key equation (where 
j < i): 
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E^[Cik.M] = Ciki. ■ ■ -Ciki.{ki{- ■ ■ {ki{E^[Cik.M]))i ■ ■ ■)i-i)i 

= Ciki. ■ ■■C,h.{M{k := Xf-Mhi- ■ ■ {kiiE^m, ■ ■ 

For Al-abort, we first note that, if then we can derive E^[{Xx.N){M)i-i] = 
{Xx.E^[N]){M)i-i by reset-lift and (3q. Also, if fc ^ FV{M), then the right-hand 
side of the key equation does not contain E^ , hence E^Cik.M] = Cik.M. Then 
we can compute as follows (for j < i): 

E^[Ai{M)i-i] = E^ [{Xx.Ci{Xk.x)){M)i-i] by definition 

= {Xx.E^Ci{Xk.x)]){M)i-i by the above equation 

= {Xx.Ci{Xk.x)){M)i-i by the key equation 

= Ai{M)i-i 

For C-abort we compute as follows (where j < i): 

Cik.C[E^[kV]] 

= Cifci. • ■■Cih.{{C[E^[kV]]){k := Xf.A^{h{■ ■ ■ (fci/)i • • 

= Cifci. • --Cih-iClE^lAihi- ■ ■ {kiV)i ■ ■ 

= Clfci. • • •Cifcj.(C'[Ai(fci(- • • {kiV)i ■ ■ by A-abort 

Since the final result does not contain E^ , we have Cik.C[E([kV]]=Cik.C[E^[kV]] 
for any level- j evaluation contexts E^ and E^. The axiom C-abort then follows. 

Applying C-abort to the key equation (by putting A-l = Ai{[ ])i-i in C-abort), 
we obtain the telescope axiom. ^ Verification of let-Ci and Ci-fun is left for the 
reader. 

This finishes the proof of the theorem. 

6 Completeness Proof 

The main results of this article are that the theories A5„ and AC„ are sound 
and complete with respect to the extended CPS translation into the theory Xprf- 
In the previous work, we proved completeness by the following strategy; (1) we 
analyzed the syntax of the image of CPS translation, (2) defined an inverse CPS 
translation, i.e., a direct-style transformation, and (3) proved that the equality 
is preserved through this inverse translation. The most difficult part was to find 
a suitable inverse translation, and we found it by trial and error. In this article 
our source calculus is much more complex than those in the previous studies, 
and therefore a better strategy is called for. 

The proof method we present here is based on an idea by Sabry, who applied 
it to the axiomatization of a calculus with level- 1 shift and, ^ reset [22]. In this 
section, we develop his method in the type-theoretic framework so as to make 
the proof more structured. 



® This is a generalized version of Murthy’s telescope axiom [21]. 
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6.1 The Target Calculus and Its Type Structure 

We analyze the set of terms which contains the image of the extended CPS 
translation and is closed under /3?7-reductions. We call this language (under the 
/3?7-equality) the target language or the target calculus. 

An important observation on the target calculus is that it is typed by the 
following type structure: 



Ternii = Conti+i ^ Termi+i for 0 < i < n 
Term„ = Ans 

Conti = Value ^ Ternii for 1 < i < n 
Value = Value Termo 



where Ans is an arbitrary, fixed type, called the answer type [7, 9] The above 
definition of types makes sense if we have recursive types, that is, if the recursive 
equation for Value has a solution. Note that if we were working in the typed 
setting from the beginning, that is, our source calculi were simply typed lambda 
calculi, we would not need recursive types for Value. 

Using the type structure, terms of the target calculus can be introduced as 
typed terms. A typing judgment is of the form F h P : T where U is a set 
of variable-type pairs consisting of either x : Value or ki : Conti. As usual, a 
variable may occur at most once in P. We have the following eight type inference 
rules for 0 < f < n: 



P \- W : Value P h W' : Value 
P h WW' : Termo 



P, ki : Conti b Ti : Termi 
P h Xki-Ti : Termi_i 



P h Ti_i : Termi_i P : Conti 
P h Tj-iATi : Term* 



P, ki : Conti b ki : Conti 



P, X : Value h x : Value 



P \- Ki \ Conti P \- W \ Value 
P'r KiW : Termi 

P,x : Value h Ti : Termi 
P b Xx.Ti : Conti 
P, X : Value h Tq : Termo 
P b Ax. To : Value 



where T, x : Value means the set union T U {x : Value}. 

If we can prove P \- P : T using the typing rules above, we say that P is a 
term (of type T) in the target calculus. For instance, the term Xki. k\x (which 
is the /3?7-reduced term of [C 2 (A/./x)]) can be typed as follows: 



X : Value, k\ : Conti b k\ : Conti x : Value, k\ : Conti b x : Value 
X : Value, k\ : Conti b k\X : Termi 
X : Value h Xk\. k\x : Termo 

For this type structure, it is not difficult to prove the following theorem. 



^ We can make the answer type parametric, as investigated by Thielecke [25]. 
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Theorem 2. ( ) M _ . , _ > ■ , , , 

r^[Mj:Term^ F' ^ V* : Value ,,, T / _ T' 

‘ ( ) ■ , - rhPiT , , \ - - P - , , Q ' 

f3v - , , , . , , - T h Q : T 

6.2 Direct-Style Translation 

We define an extended direct-style translation from the target calculus to the 
source calculus AC„. We first give it as a syntactic translation J based on the 
type structure of target terms as follows (for 0 < i < n): 



{WW')^ w^w'^ 


{Xh.Ti)^ Cih.Ti^ 




(K,W)^ 


III; 


{Xx.rp^ Ax.(T,^), 


f def 
x' = X 


(Aa;.To)^ Ax.Tq^ 



The next theorem ensures that J is in fact a translation from to AC„. 

Theorem 3. , J Pv > ' r , , , 

p , - Q “ ^ ^ A^^ h P = Q, 

AC„ h Pt = Qt 

We also have that is really an inverse of the extended CPS translation. 

Theorem 4. , M ^ ^ AC„, , AC„ h [Alf = M 

The proofs of these theorems are not shown here due to lack of space. 

Now we can prove the completeness of AC„. 

Theorem 5 (Soundness & Completeness). M . iV , . , , 

AC„hM = iV , , A^^h[M] = |fV] 

Proof. Soundness (the “only-if” direction) can be proved by calculating both 
sides of axioms in AC„. For completeness (the “if” direction), suppose 
[A^]. Since [M] and [A^] are of type Tq, we have XC„ h [M]^ = by Theorem 
3. Using Theorem 4, we conclude AC„ \~ M = N. 

6.3 Completeness of A«S„ 

We finally obtain the completeness of A5„. 

Theorem 6 (Soundness & Completeness). M . A^ ■ , , 

, Xp,V[M] = |fV] 



XSn^ M = N , 
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Proof. Soundness can be proved in the same way as AC„. For completeness, let 
(/) be a translation from terms in A5„ to terms in AC„ which replaces Si by its 
“definition” in Cj given in Section 3. Similarly let he a, translation from AC„ 
to XSn- It suffices to prove the following properties with M and M' being terms 
in XSn, and N and N' being terms in AC„: 

1. A;3,h[<^(M)] = [M]. 

2. XCn \- N = N' implies A5„ h 

3. XSn h ^{4>{M)) = M 

All these properties can be proved by calculation. 



6.4 Typing Source Calculi 

So far we have been studying the simplest possible source calculi. Introducing 
type structure into the source calculi is an important problem, as most modern 
programming languages have a built-in type system. Another benefit of intro- 
ducing types is that, in the presence of appropriate types, we can avoid the full 
? 7 „-equality {Xx.Vx = V ior x ^ FV{V)), which is inconsistent with the pres- 
ence of basic values such as natural numbers. In order to restrict V in to a 
functional value, we need a type system in the source calculus. 

A simple choice of the typing rules of control operators would be: 

rh M 

r h (M), rh S^: ^ A 

where ^ is a designated atomic type, and A is an arbitrary type. Then we can 
prove that the extended CPS translation preserves the typability if we add the 
type information to the classes Termo and Value in the target calculus (in which 
case, the type structure of the target calculus does not need recursive types). 
All the axioms and the proof of soundness and completeness in this article go 
through for the simply typed case. 

Introduction of types to the source calculi makes explicit the connection of 
the extended CPS translation and the double negation translation. If we take 
n = 1, then by the definition of types given in Section 6.1 we have Termo = 
(Value ^ Ans) ^ Ans. If we take n = 2, then 

Termo = (Value — > (Value ^ Ans) ^ Ans) ^ (Value ^ Ans) ^ Ans 

Hence the type Ans in the n = 1 case (which corresponds to _L in the double 
negation translation) is CPS translated to (Value — > Ans) ^ Ans in the n = 2 
case. Thus, we can say the extended translation represents an iterated double- 
negation translation. 

In the literature, Danvy and Filinski [6] and Murthy [21] have proposed more 
liberal type systems for shift and reset. Since these type systems are quite 
complicated, it is not obvious whether our axioms work for them. 




Axioms for Delimited Continuations in the CPS Hierarchy 



455 



7 Conclusion 

In this article we have studied a family of control operators in the CPS hierarchy. 
In particular, we have analyzed the image of the extended CPS translation with 
type-theoretic machinery, and have obtained a simple set of axioms which is 
sound and complete for all such control operators. To our knowledge this work 
is the first such result about the hierarchy of delimited continuation operators. 
Our axioms for level-n shift/reset are a simple extension of those for level-1 
shift/reset, and the axioms for level-n C/reset are even simpler than those 
for level-2 C/reset. 

The control operators in the CPS hierarchy have also been investigated by 
Murthy [21], who gave an elaborate type system for level-n shift and reset, and 
also gave a set of axioms for them. The difference between his work and ours is 
that he only proved the soundness of the axioms and did not state completeness, 
and also that his set of axioms consists of many complex axioms such as the 
telescope axiom, while ours consists of a small number of simple axioms. 

In another line of work, Danvy and Yang [9], Murthy [21], and Biernacka, 
Biernacki and Danvy [3] studied an operational aspect of the control operators 
in the CPS hierarchy by giving abstract machines for shift and reset. It seems 
interesting to study how our axioms fit with these abstract machines. 

Future Work: Besides studying the connection to abstract machines, there are 
two major avenues for future work: 

(1) While we have built a theoretical foundation for the control operators 
in the CPS hierarchy there remains a question about the application of our ax- 
ioms. It is almost impossible to use them for automatic verification because they 
require a degree of insight. Nevertheless, besides obtaining a better understand- 
ing of control operators, we hope to use the axioms to prove the correctness of 
program translations such as compiler optimization. 

(2) An even more fundamental question of this study is whether one needs 
these hierarchical control operators at all. The existence of several application 
programs and the correspondence between the CPS hierarchy and layered mon- 
ads [11] seem to give a positive answer to this question. However, there is much 
room for further work. 
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Abstract. Set constraints are a useful formalism for verifying properties 
of programs. Usually, they are interpreted over the universe of finite 
terms. However, some logic languages allow infinite regular terms, so it 
seems natural to consider set constraints over this domain. In the paper 
we show that the satishability problem of set constraints over regular 
terms is undecidable. We also show that, if each function symbol has the 
arity at most 1, then this problem is EXPSPACE-complete. 



1 Introduction 

Set constraints are inclusions between expressions denoting sets of terms. They 
are a natural formalism for problems that arise in program analysis, including 
type checking, type inference, and approximating the meaning of programs. They 
were used in analyzing functional [ALW94], logic [AL94], imperative [HJ94] and 
concurrent constraint programs [CPM99]. 

The most popular domain for which set constraints were considered is the 
Herbrand universe, i.e. the set of all finite terms constructed over a given signa- 
ture. The satisfiability of such constraints was studied by many authors including 
N. Heintze and J. Jaffar [HJ90], A. Aiken and E. L. Wimmers [AW92], L. Bach- 
mair, H. Ganzinger, U. Waldmann [BGW93], R. Gilleron, S. Tison and M. Tom- 
masi [GTT93] and W. Gharatonik and L. Pacholski [GP94]. Set constraints for 
other domains were also studied ([MGWK96], [ALW94]). 

In this paper we consider a variant of set constraints, namely set constraints 
over the set of (finite and infinite) regular terms. This domain was first intro- 
duced in Prolog II [Gol82] , and now is used in many modern logic programming 
languages, such as SWI-Prolog [Wie03] or Eclipse [WNS97]. Glassical set con- 
straints over the Herbrand universe can be inadequate in analyzing programs 
written in these languages. 

Infinite terms in the context of set constraints were studied by Gharatonik 
and Podelski [GP98], who proved that, for some restricted class of set con- 
straints, which they call co-definite set constraints, the algorithms working for 
the Herbrand universe also apply to infinite terms. They proved EXPTIME- 
completeness of the satisfiability problem of co-definite set constraints over infi- 
nite regular terms. 
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In general, the satisfiability problem in the Herbrand universe is not equiv- 
alent to the satisfiability problem over the set of regular terms. Consider, for 
example, the signature containing one constant c, and one unary function sym- 
bol /. Then the set constraints X yf (d,X = f{X) have no solution in the 
Herbrand universe, but they have a solution X = {/(/(/(• ■ • )))} in the set of 
infinite terms. Even if we forbid negative constraints, the finite and infinite cases 
differ. Consider the set constraints (with the same signature) consisting of one 
equation X = f{X). It has a solution in the Herbrand universe, but it is not 
solvable in the universe of regular terms. The reason is that the regular term 
t = /(/(/(. ■ . ))) fulfills the equation t = f{t), so the constraint implies that, in 
any solution, t belongs to X, if and only if t belongs to X. 

In this paper we show that the satisfiability problem for positive set con- 
straints over regular terms is undecidable. The proof is by reduction of the Post 
Correspondence Problem. Moreover, we show that, if all function symbols have 
the arity less or equal to 1, this problem is EXPSPACE-complete. These are 
rather surprising results, since set constraints over the Herbrand universe are 
EXPTIME-complete in unary case and NEXPTIME-complete when we allow 
function symbols of any arity [AKVW93] (they stay in NEXPTIME even if we 
enrich the language, adding negative constraints and projections [CP94]). 



2 Preliminaries 

2.1 Signatures and Terms 

Let A = Xq U Xi U X 2 U • • • be a signature. A function symbol from X„ is told 
to be of the arity n. 

In the paper by a , we mean a finite or infinite tree with nodes labeled 
by elements from X. If the label of a node belongs to X„, then this node has 
exactly n ordered sons. A term is a ^ . , of f 2 , if ti is a subtree of t 2 - A 

term t is , , , if it has only finitely many different subterms. We denote the 

set of all (finite and infinite) regular terms over X by T^. For terms ti, . . . ,tn, 
we define the term /(<i, ■ ■ ■ ,tn) as a tree t, such that the root of t is labeled by 
/, and the t-th son of the root is U, for i = 1, . . . , n. 

In order to describe regular terms we introduce a notion of t-graphs. A 
, is a tuple {S,V,E), where P is a set of vertices, X is a signature, and 
E : V ^ X X V*, such that if E{v) = (/, ui ...Vn), then / is of the arity 
n. In such a situation we say that v is labeled by /. If V is finite then we 
say that the t-graph (X, V, E) is finite. We write v =e f{vi, ■ ■ ■ , Vn) instead of 
E{v) = (/, vi . . . Vn)- We say that a vertex Vi is the i ^ ^ ^ of u, if and only if 
V =E f{vi,. . .,Vi-i,Vi,Vi+i , . . . ,u„), for some /. 

A regular term can be represented by a t-graph with a selected vertex, as 
it is shown in Figure 1. This correspondence could be defined formally in the 
following way: a vertex r; in a t-graph G = (X, V, E) ^ ^ ^ term t, if there 

is a function h from the subterms of t to P such that h{t) = v, and, for every 
subterm f = /(si, . . . , Sn) of t, we have h{t') =e /(ft-(si), . . . , /i(s„)). 
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For a t-graph G, by T{G) we denote the set of regular terms represented 
by the vertices of G. We say that a t-graph is , ^ , , , if each of its vertices 

describes a distinct regular term (in Figure 1, G 2 is minimal, whereas G\ is not). 
We denote by the minimal t-graph (usually infinite) such that T{M^) = T^. 
It is easy to see that t-graph exists, and is unique up to isomorphism. 

2.2 Set Constraints 

are inclusions^ of the 
form E C E', where the expressions E and 
E' are given by the grammar 

E ::= X\EnE\E\f{E,...,E)\E, 

where X stands for a variable from a given 
set, and / is a function symbol from a given 
signature E. We will use T as the abbrevia- 
tion of _L, and E\U E 2 , as the abbreviation 
of Eif]E 2 - We will also identify E with E. 

Let SC be a system of set constraints. Let 
Var denotes the set of variables that appear in SC, and let a : Var ^ be an 
assignment of subsets of T§ to variables in Var. Then a in the unique way ex- 
tends to a function a from expressions to subsets of T§. This extension is defined 
as follows: a(X) = <j{X), for X G Var, (t(_L) = 0, a{Ei n E 2 ) = d(i?i) n a-{E 2 ), 
a{E) = T^\a{E), and for / G i:„, we have a{f{Ei, E„)) = {/(ti, . . . , t„) j 
ti G a{Ei), . . . ,tn G &{En)}- An assignment cr : Var — > 2^^ is a solution of 
SC, if a{E) C a{E'), for each constraint E C E' in SC. A system SC of set 
constraints is satisfiable, if it has a solution. 
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Fig. 1. A regular term (on the 
left) is represented by gray vertices 
of Gi and G 2 



3 Automata and Set Constraints 

We adapt here the definition of a t-dag automaton from [Cha99]. A . 

is a tuple {E,Q,A), where A is a finite signature, Q is a finite set 
of states, and A is a set of transitions of the form /(gi, . . . , g„) i-^- q with 
q,qi, . . . ,qn G Q and / G A„. An automaton is called ^ , , if for each 

/ G A„ , and each sequence qi, ... ,q„ G Q there exists q G Q such that 
f{qi, . . . , qn) q belongs to A. An automaton A' = (A, Q', A'} is an ^ . 
of A = (A, Q, A) iff Q' C Q, and A' C A. 

A ^ of an automaton (A, Q, A) on a t-graph G = {V, A, E) is a mapping 
p from V to Q such that for each v,Vi,...,Vn G V, and / G A„, if v =e 
f{vi, . . . ,Vn), then A contains the transition f{p{vi), . . . ,p{vn)) p{v). If there 

is a run of an automaton A on a graph G, then we say that A ^ G. 

The following lemma states the connections between runs on finite graphs 
and runs on MJ?. 



^ In so called negative set constraints there are also allowed negated inclusions. Such 
systems were analyzed for instance in [CP94]. 
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Lemma 1. S , ^ ^ ^ ^ ^ ^ ^ S 

(i) A , M§ 

(ii) A , ^ ^ 

(iii / ' , , ‘ , A' , A MS 

(iv) , \ ‘ \ ^ A\, A ' , , 

^ y s‘ 

^ ^ , One can show the following implications: (ii) =i> (i), (i) =i> (iii), (iii) (iv), 
(iv)^(ii). All the implications but the first one are quite straightforward. In the 
case of (ii) (i) we can use the compactness theorem for the propositional logic, 
as is sketched bellow. Assume that (ii) holds. We use the propositional variable 

for each vertex v, and each state q of the given automata A. The intended 
meaning of Pg is “the state q is assigned to the vertex u” . For each t-graph G, 
using these variables, it is easy to construct a set <Pg of formulas such that <Pg 
is satisfiable iff A has a run on G. Now, for any finite <P' C one can show 

that there is a finite subgraph G of such that <P' C <Pg- By the assumption, 
A accepts G, so the set $g is satisfiable, and so is <?'. Hence, by the compactness 
theorem, is satisfiable, which implies that A accepts M^. □ 

Following Charatonik and Pacholski [CP94, Cha99] we define, for a system of 
set constraints SG, the automaton Asc representing it. Let E{SG) be the set 
of all set expressions occurring in S' (7 together with their complements. 

Definition 1. Let SG be a system of set constraints over S. The 
Asc is (S,Q,A), where Q C and 

1. A subset (j) of E(SC) is a state of Asc, if 

(i) -L ^ (/), _ 

(ii) E G 4> iS E ^ (j), 

(iii) if {El n E 2 ) G (f) then Ei, E 2 G <j>, 

(iv) if El G 4>, E 2 G 4>, and {Ei n E 2 ) G E(SC), then (Ei n E 2 ) G (j), 

(v) ii E C E' G SG, and E G <j>, then E' G </>, 

(vi) if /(El, . . . , En) G (j) and g{Ei , . . . , Em) G (j) then m = n and f = g, 

2. A is the set of transitions of the form f{(j>i , . . . , 4>n) Z*, where 

(i) / G E„, and (j>i, . . . G Q, and 

(ii) /(El, . . . , En) G 0 iff Ej e </i for each i = 1, . . . ,n. 

The following lemma (and its proof) is an exact ‘translation’ of the part of 
Theorem 24 from [Cha99]. 

Lemma 2. , ^ , , , , ^ , , , 

Glsc , 

^ ^ , Suppose that cr is a solution of SC. Let denotes the term described 
by a vertex v in M^. Then we can define a run p of Asc on by setting 
p{v) = {E G E{SC) I ty G ct(E)} U {E I E G E(SC), ty ^ a{E)}, for each vertex 
V of M§. Conversely, if there exists a run p on M§, we can define a solution cr of 
SC by a{X) = {ty G T§ \ there exists a vertex v of M§ such that X G p{v)}. 

□ 
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Notation: As the proof of Lemma 2 shows, solutions and runs express the same 
relation between terms and variables in different ways: (a) for a solution a of 
SC, we write G cr(A), whereas (b) for a run p of we write X G p{v) 
(where v describes t„). 

We find it convenient to write constraints in a form which directly expresses 
local relations in a t-graph, using formulas which correspond to (b). So, for 
/ G Sn, we will write constraints of the form 

vto = (*) 

where (/? is a boolean combination of formulas of the form (X in C), and {X in ti) 
(for 0 < i < n). 

Constraints of the form (*) can be easily translated to ordinary set con- 
straints: first we change all atomic formulas of the form {E in to) into E, and, 
for 1 < i < n, we change {E in ti) into /(T , . . . , E, . . . ,T) (with E on i-th posi- 
tion). Then, we replace A by fl, V by U and ^ by complementation, obtaining 
an expression S. The resulting set constraint for {*) is /(T, . . . , T) C S'. 

For instance the formula (Vs = /(ti,t 2 ) : Ains =k Tinfi) is translated to 
/(T,T) C AU/(Y,T). This formula says that for any run p of Asc, for all 
nodes v and v' such that v is labeled by / and v' is the first son of v, we have 
that X G p{v) implies Y G p{v'). 

Moreover, if a sequence of variables X = {Xi, . . . ,X„) is supposed to code 
values from some finite set, then we allow to use such vectors of variables as 
a syntactic sugar in constraints written in the form (*), which is shown in the 
following example. 

I , , The formula 

yt = f{s) : {Xin t) yf {X in s) (1) 

is an abbreviation of the formula 

yt = f{s) : (Xi in s) A (Ai in t) V (Ai in s) A (Ai /n f) V • • • V 

(X„ in s) A (A„ in t) V (A„ in s) A {X„ in t) 

Now, the formula (1) means that for any run p of the automaton for the 
constraint (1), for all nodes v and v' , such that v' is the only son of v, and v is 
labeled by /, we have that the value of X in p{v) is different than the value of 
X in p{v'), i.e. if we take Oj = 1 iff Aj G p{v), and = 0 iff Aj G p{v), and 
similarly 6^ = 1 iff A^ G p{v'), and 6^ = 0 iff A^ G p{v'), then we have that 
(g1 . . . dn) 7^ (^1 ■ ■ ■ ^n)- 

In a similar way we can use formulas like Vf = /(s) : {X in s) = {Y in t) or 
yt = f{s) : {Xin s= Xint+1). 



4 The General Case 

Now we state the main result of the paper. The rest of this section is devoted to 
its proof. 
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Vt = aj(-) : A in t A S in t A P in t (2) 

\/t = Si{- , ■) : Ain t A S in t A P in t (3) 

\/t — pi{-, : Ain t A S in t A P in t (4) 

'it = ■. {K in t) = {K in ti) (5) 

it = : {K in t) = (K in ti) (6) 

it = aj{t\) : (Pint) => (S in ti) A {A in ti W E in ti) (7) 

it = pi{ti,t2,ti) ■ (Pint) => (S in ti) A {E in tiV P in ti) \/ {A in t 2 i E in t 2 ) ( 8 ) 

V {A in tzi E in tz) i {K in t) 7 ^ {K in tz) V (K in t) 7 ^ {K in tz) 

it = Si{ti,t 2 ) ■ (Pint) => (E in ti) i {E in t 2 ) i {P in ti) i {A in t 2 ) (9) 

it = Si{ti,t 2 ) '■ (H in t) y {E in t) (10) 

V {{Kin t) / {Kin ti)) V {{Kin t) 7 ^ {Kin t 2 )) 

it = aj{t\) •. {H in t) ^ {H in t\) (11) 

it = pi{ti,t 2 ,ti) ■ {H in t) ^ {H in ti) A {H in tz) A {H in tz) (12) 

it = Si{ti,t 2 ) ■ {H in t) ^ {H in ti A H in tz) (13) 

it = ai{ti) : {H int) A {Uint) = {aiXz ■ ■ -Xm) => {U in ti) = {xz ■ ■ ■ Xm) (14) 

it = ai{-) : {H in t) A {Uin t) = e => {Pint) (15) 

it = pi{ti,t2,ti) ■ {Hint) ^ {C in t) y {C in ti) (16) 

V {{Uin tz) = Ui A F in ti) V (( Uin tz) = Vi A F in t\) 
it = pi{ti,t 2 ,ti) ■ {H in t) A {F in t) ^ {F in tz A F in tz) (17) 

it = pi{ti,t 2 ,ts) ■ {H in t) A {C in t) ^ {V in tz) {V in tz) (18) 

it — Si{t-i,t 2 ) ■ {H in t) ^ {C in ti) y {U in tz) = Ui A F in ti (19) 

V {Uin tz) = Vi A F in ti 

Fig. 2. Constraints $ 

Theorem 1. _ , . , , 



Let {ui,vi), . . . , {un,vn) be an instance of PCP over an alphabet E = 
{oi, . . . , uk}- We can assume that the words Ui,vi, . . . , ujv, are not empty^. 
We give a system <P of set constraints (Fig. 2) which has a solution, if and only if 
the given instance of PCP has no solution. The explanation of the the intended 
meaning of these contstraints will be postponed until Subsections 4.2 and 4.3. 

The signature we use consists of the functors Si of the arity 2, and the functors 
Pi of the arity 3, for each 1 < t < iV (each Si and Pi corresponds to the pair 
{ui,Vi)), and the functors aj of the arity 1, for each aj belonging to E. 



^ Undecidability of PCP can be proved, if we assume that words are not empty. See 
e.g. the proof of undecidability of PCP in [HU79]. 
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4.1 H-structures and Solutions of PCP 

In this subsection we define a class of finite t-graphs, called , which 

can be used to code solutions of the given instance of PCP. 

We say that a vertex is of the . a, if it is labeled by a^, for some j. 
Similarly, a vertex is of the . s or p, if it is labeled by Sj, pi respectively, for 
some i. 

Definition 2. An ^ is a t-graph which consists of one vertex xq of 

the type s, called the ^ ^ , nodes xi, . . . of the type p, and nodes yi, ■ ■ ■ ,ym 
of the type a such that: 

(i) the first son of the root is X\, and the second son of the root is y\, 

(ii) the only son of yi is yi+ii for 1 < i < m, and the only son of j/m is xq, 

(iii) for each 1 <i < n, the first son of Xi is Xi+\, and the first son of Xn is x^, 

(iv) for each 1 < i < n, the second and the third son of Xi are of the type a 
(thus belong to {yi, . . . , y„}). 

An example of an H-structure is shown 
in Fig. 3. Let us notice that labels of ver- 
tices of the type a correspond to symbols 
from A, thus sequences of vertices of this 
type can code words over S. We formal- 
ize it in the following way: a word w = 

bi .. .bn G S* I I I I I I I ' 

' 2/1. , - , , - ' 2/> if 

there exists a path yi , . . . , y„ of vertices la- 
beled by bi, ... ,bn, and y is the only son 
of y„. 

Let a; be a vertex of the type p or s. 

A vertex y is said to be a ^ i, - ( - ) 

r , - , , , , . X, if y is the second (third) son 
of the first son of x. 

Definition 3. A vertex x labeled by pk is 
and (a) Uk has an instance starting at the second son of x, and finished at its 
second grandson, and (b) Vk has an instance starting at the third son of x, and 
finished at its third grandson. 

Similarly, a vertex x labeled by sj, is , - , if its first son has the type p, 
and (a) Uk has an instance starting at the second son of x, and finished at its 
second grandson, and (b) Vk has an instance starting at the second son of x, and 
finished at its third grandson. 

If y is the first son of a valid vertex, then y is told to be , _ . 

Notice, that a charged vertex must have the type p. Now, consider the H- 
structure from Fig. 3, and suppose that the given instance of PCP has two pairs 
(oioi, oi), (o 2 , 010102 ). Consider the path of vertices labeled by si,yi,y 2 )Pi,y 2 - 
The first three vertices of this path are valid. The charged vertices of this H- 
structure are the black ones. 




Fig. 3. An H-structure. The first sons 
of vertices of the type p are repre- 
sented by down arrows, the second 
sons by gray right arrow, and the 
third sons by black right arrow 

, - , if its first son has the type p, 
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Definition 4. G xq , , , if there 

exist charged vertices Xi, . . . ,Xn (of the type p), forn > 1, such that Xq,Xi, . . . ,Xn 
is a path in G, and the second and the third son of x„ are the same. 

Notice that the vertices xq,. . . ,x„_i in the definition above must be valid, 
because the first son of each of them is charged. 

Consider again the PCP given by the pairs (oiOi, Oi), ( 02 , 010102 ). The 
H-structure from Fig. 3 describes a solution of this PCP. The described solution 
is the sequence 1,1,2. It is given by indices of the labels Si,pi,p 2 of the vertices 
on the path starting with the root. Note that the next vertex on this path with 
label Pi (which is not valid, but is charged) is the one whose second and third 
sons are the same. Note also that the last vertex of the type p is of no use, and 
we could build a smaller H-structure which describe the same solution. 

It is easy to show that the following holds. 

The given instance of PCP has a solution, if and only if there exists 
an H-structure which describes a solution. 

Now, we state two lemmas which constitute the major steps of the proof of 
Theorem 1. The proofs of these lemmas are given in separate subsections. 

Lemma 3. ^ ; , , / ; - / ■ ' , >> 



Lemma 4. ^ , , , . , r A^, 

G . G - 

Lemmas 2, 3, and 1 imply that system <P from Fig. 2 is satisfiable, if and only 
if accepts all H-structures. Consequently, by Remark 1 and Lemma 4, the 
given instance of PCP has no solution, if and only if the system of set constraint 
from Fig. 2 is satisfiable, which completes the proof of Theorem 1. 

4.2 The Proof of Lemma 3 

A vertex of the type p is ,, . . , if its first son has the type p or s, and its 

second and third sons have the type a. A vertex of the type a is > . , if its 

only son has the type a or s. A vertex of the type s is ^ . , if its first son 

has the type p, and its second son has the type a. Notice that all the vertices of 
any H-structure are well- typed. 

Now, we introduce a notion of ^ ^ ^ which is intended to give an evidence 
that a vertex v (of the type s) is ^ ^ a root of any H-structure, and carry some 
information which will be used later in the proof. 

Definition 5. Let G be a t-graph, and u be a vertex of the type s. A ^ ^ ^ 
for V has one of the following forms: 

(a) {v, {w, zi, . . . , Zn}), if V, zi, . . . , Zn is a path in G, where none of zi, . . . , 
has the type s, and only the last vertex of u , zi, . . . , z„ is not well-typed. 
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(b) (u, {u, zi,Z 2 , ■ ■ ■}}, if V, zi,Z 2 , ■ ■ ■ is an infinite path in G of well-type vertices, 
where none of zi,Z 2 , ■ ■ ■ has the type s. 

(c) (w, {u, Xi, . . . , Xn}}, if V, Xi, . . . , Xn, t/i , . . . , j/m; is a path in G, where the 
vertex w ^ v has the type s; the vertices xi, . . . , are well-typed, and have 
the type p; the vertices yi, ■ ■ ■ ,ym are well-typed, and have the type a. 

(d) {w, 0), if there is a path of the form a;i, . . . , w in G, where the vertex 
w ^ V has the type s; the vertices Xi, . . . ,Xn are well-typed, and either each 
of them has the type p, or each of them has the type a. 

The set of all the witnesses for v is denoted by W (v) . 

Note that a witness of the form (a) corresponds to the case, when starting 
with V, we can reach some vertex which is not well-typed. A witness of the form 
(b) corresponds to the case, when there is an infinite path of well-typed vertices 
of the type p or a starting with v. A witness of the form (c) or (d) corresponds 
to the case when starting with v, we can reach a vertex w v of the type s: a 
witness has the form (c) if the path from v to w contains vertices of the type 
p followed by vertices of the type a, and a witness has the form (d) if the path 
from V to w contains vertices only of the type p, or only of the type a. 

One can check that a vertex v of the type s is the root of some H-structure, 
if and only if W (u ) is empty. 

In order to prove the nontrivial implication of Lemma 3, let us assume that 
A^, accepts all H-structures. Let G be a finite t-graph, and Go be the subgraph 
of G containing exactly all the H-structures of G. Because these H-structures 
have disjoint sets of vertices, and each of them has an accepting run, there exists 
an accepting run po of A<p on Gq. We will extend po to a run p on G, but first 
we informally explain the role of some variables used in the constraints from 
Fig. 2: 

— A,S,P- type variables. In each vertex v exactly one of these variables have 
to be set: A has to be set in v (i.e. A G p{v)), if v has the type a, and so on 
(see (2)-(4)). 

— K — vectors of variables which can code a ^ , i.e. a value from {a,/3, 7 }. 

The constraints (5)-(6) guarantee that each vertex of the type a or p has the 
same color as its first son, thus each H-structure is colored with one color. 
These variables are used to detect cases related to the points (c) and (d) of 
Definition 5. 

— if - an error flag. If set in a vertex v, it indicates that v cannot be a part of 
any H-structure. The constraints (7)-(9) allow us to set E in v only if either 
(i) E is set in some son of u of a type different than s, (ii) v is not well-typed, 
or (iii) V has the type p and it has a different color than its second or third 
son (it is related to point (c) of Definition 5) . 

— ii - an H-structure indicator. This variable is intended to be set exactly in 
these vertices which are a part of some H-structure. The constraints (11)- 
(13) guarantees that, if if is set in some vertex, then it must be also set in 
all its sons. The constraint (10) guarantees that H must be set in a vertex 
V of the type s unless (i) E is set in v, which corresponds to the points (a). 
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(b) or (c) of Definition 5, or (ii) v has a different color than one of its sons, 
which corresponds to point the (d) of Definition 5. 

Note that, if the variable H is not set in some vertex v (so v is not a part 
of any H-structure), then (11)-(19) are obviously satisfied in v. 

As we have noticed, v of the type s is the root of some H-structure, if and 
only if Vb(u) = 0. Let Vs denote the set of vertices of the type s from G \ Gq. 
For each v € V$, W{v) yf 0, so let us chose one witness from W{v), and denote 
it by f{v). One can assign a color c„ G {a, f3, 7 } to each vertex u G G of the type 
s in such a way that, if f{v) = (w,B), for some w ^ v, then c„ yf c^, and, for 

V G Go, we have c„ = {K in po{v)). 

Now, we extend po to a run p on G. For each v € G \ Go, we define p{v) as 
follows: We set variable H to 0. We set type variables {A, S, P) according to 
the type of v (e.g. A, S, P in vertices of the type a). We set variable E to 1, if 
and only if, for some v' G Vs with f{v') = {w, B), the vertex v G B. If v G Vs 
then we set K to Cy, otherwise we give v the color of its first son (when following 
first sons, we get into a cycle, then we can set FT to a in all the vertices of this 
cycle). The values of the other variables do not matter. One can now show that 
p is a run on G. □ 

4.3 The Proof of Lemma 4 

Lemma 5. G - P . G 

V ^ , G, , , H , ^ ^ ^ p{v) 

^ ^ , It is easy to check that all the vertices of G have the same values of K 
in p. Moreover, one can check that E must not be set in p(w), for each v in G. 
Thus, the only way to satisfy the constraint (10) for the root r is to set El in 
p(r). So, by the constraint (11)-(13), El must be set in all the vertices of G. 

Let us now describe the intended meaning of the variables used in this part 
of the proof. As we consider here H-structures, we assume that, according to 
Lemma 5, the variable H must be set in any vertex considered. 

— V — a sequence of variables of the length sufficient to code a special value o, 
and words over E not longer than I, where I is the length of the longest of the 
words in the given instance of PCP. It is used to check whether some word 
has an instance at a given place (see (14)-(15)), and so to check validity of 
vertices. 

— F — an auxiliary variable used together with U to check validity of vertices. 

— G — the constraints (14)-(16) and (19) guarantee that, in any run, G have 
to be set in the vertices denoted by xi, . . . , a;„ in Definition 4 (that is in the 
sequence of charged vertices). 

— V — a vector of variables which can code one of the colors a, j3, 7 . It is used 
only in (18) which guarantees that the second and the third son of a charged 
vertex (a vertex with the variable G set) must not be the same. 

In order to prove Lemma 4, we first show that if an H-structure G de- 
scribes a solution, then A^ does not accept G. 
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^ ^ , Suppose that G describes a solution, and suppose that p is a run of 
on G. Let Xq, . . . , denote vertices according to Definition 4. Using Lemma 5, 
one can show that (14)-(15) have the following consequence: if a word u has an 
instance starting at x and finished at y, and ( U in p{x)) = u, then F G p{y)- 
Using that together with (16), (17), (19) one can prove, by induction on i, 
that G G p{xi), for 1 < i < n. Particularly, G G p{xn)- By Definition 4, the 
second and the third sons of Xn are the same, which implies that p cannot fulfill 
(18), and contradicts the assumption that p is a run on G. □ 

Now, we show that if an H-structure G does not describe a solution, 
then accepts G. 

^ ^ , Let xo, ■ ■ ■ ,Xn and yi, ■ ■ ■ ,ym denote vertices according to Definition 2. 
For i G {1, . . . , n}, we define s(i) and t{i) in such a way that ys(i) is the second 
son of Xi, and is its third son. 

Let Xk be the first not valid vertex from xo,...,Xn (such a vertex exists, 
because cr„ is not valid). Notice that G does not describe a solution, and, for each 
z G {1, . . . , k}, Xi is charched, so we have s(z) yf t{i), and moreover, s(z) < s(z+l), 
and t{i) < t{i + 1). Using these facts, one can prove that each vertex v can 
be assigned a color f{y) G {a,(3} such that, for each i G {1,...,A:}, it holds 
fivsii)) ^ f{yt{i))- 

Now, we will define a function 6 from the set of vertices of G to the set of 
values that can be coded in 17. If fc = n, then let 6{v) = o, for each vertex v of G. 
Otherwise (i.e. if A: < rz), since Xk is not valid, there are two possible cases which 
correspond to violation of the condition (a), or the condition (b) of Definition 3. 
We consider the case (a), and we assume that fc yf 0 (in the other cases the proof 
proceeds similarly). Let pj be the label of Xk, and Uj = bo .. .bi. Let d be the 
greatest natural number such that the labels of ys{k), ■ ■ ■ , ys(k)+d are some prefix 
of Uj {d must not be greater than 1). For 0 < z < d + 1, let 8{ys(k)+i) = bi . . .bi. 
For a vertex v ^ {ys{k),- ■ ■ ,ys{k)+d+i}, let ^(z;) = o. 

Now we construct a run p such that: 

— in each vertex z; of G we set i7 to 1 and E to 0; the type variables we set 
according to the type of v, and the variables K we set to a, 

— we set U to 1 in each vertex, with the exception of Xk+i and its second and 
third sons, if A: < rz, 

— we set the variable G to 1 only in the vertices Xq, ■ ■ ■ ,Xk, 

— in each vertex v, we set V to f{v), and U to S{v). 

One can check that p is a run of A<p on G. □ 

5 The Unary Case 

In this section we consider positive set constraints which use only constants 
and unary function symbols. Such systems will be called 

( ' , )■ The problem of deciding whether a system of USC is satisfiable turns out 
to be EXPSPACE-complete, which is an immediate consequence of the following 
theorems. 
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Theorem 2. _ , , ' USC ^ ^ 

Theorem 3. _ , , ' , ■ , ■ ^ , 



5.1 Proof of Theorem 2 

Let be a signature, and /i, G T'. A finite t-graph (P, A, E) with the set 

of vertices P = {t>i, ... ,w„} is A), if =_e / i(r;„), and 

Vi =E /i(ui-i), for 1 < t < n. 

Intuitively, cycles are the most difficult parts of a t-graph when we want to 
find a run. This is stated by the following lemma: 

Lemma 6. A , , . . , ■ i i i E A , // , ' , 

^ ^ , Sketch. To proceed the proof in the nontrivial direction note that the 
connected components of a graph can be considered separately. Each such com- 
ponent contains at most one cycle. To find a run for a whole connected compo- 
nent, we first find a run on the only cycle, and then use the completeness of the 
automaton. 

Now, for a t-graph automaton A, we define a deterministic finite automaton 
A (working on finite words) in such a way that runs of A on cycles can be 
simulated by A. 

Definition 6. A={E,Q,A). . Q = {qi, . . . ,qn} 

A 

■ , ‘ > 
A={SuQ,qo,lF)^ ^ Q=(2Q)” go = ({9i},...,{9„}) 

, , . , , - F = I 9 * G Qi., ,, , 1 < * < n} , 

^ , - , - ^ ' 

Q'i = W ^ Q\ <1 ^ Qi , (/(<z) q') g A} 

One can prove the following lemma which expresses a correspondence between 
automata on words and t-graph automata on cycles. 

Lemma 7. A , . ^ , , , , ^ A, ^ . /i, . . . , /^ G A 

, . , , A ^ , , /i,...,/fc. A , , - 

Deciding whether a deterministic finite automaton is universal (i.e. accepts all 
words) is NLOGSPACE complete. Knowing that, since the size of A is 2*^^” \ 
it is easy to prove that, for a t-graph automaton A, the problem of deciding 
whether A is universal is in PSPACE. 

Now we give the nondeterministic algorithm working in EXPSPACE, and 
verifying whether a given system SC of set constraints is satisfiable: ^ 
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, , , Asc , ' , , ^ , . . , . , . , , ^ - Asc , - 

It is easy to check that this algorithm works in EXPSPACE. 
Its correctness follows directly from Lemmas 1, 2, 6, 7. 

5.2 Proof of Theorem 3 

Suppose that M is a deterministic Turing machine which, for an input word w 
of length n {w G {0, 1}*), uses space bounded by 2^ where N = n\ for some 
integer 1. We assume that the set of states Q = {0, . . . ,K}, the tape alphabet 
r = {0, . . . , L}, the number 0 denotes the initial state and the blank symbol, 
Qf A Q is the set of accepting states, and 6 is the transition function. 

Without loss of generality we can assume that Q is a union of three disjoint 
sets: Ql, Qr and {0}, such that M can be in a state belonging to Ql (Qr) 
only after its head has been moved left (right respectively).'^ Thus the transition 
function 6 can be seen as a function from Q x F to Q x F. 

Let u = ui . . .Un & {0, 1}* be the input word. We will construct a system <F 
of set constraints such that M accepts u, if and only if >F is not satisfiable. In 
set constraints F we use the signature S = Si = {fo, ■ ■ ■ , Jk}- 

Let us notice that a sequence 0, qi, . . . , of states of M can be coded as 
the cycle /q, /g^, . . . /g„. This gives us opportunity to code computations using 
t-graphs (note that a sequence of states determines the position of the head). A 
sequence 0, gi, . . . , of states of M is ^ , if S Q_f. It is , - , if there 

is a computation of M on u with these states. 

We will consider a computation of M for u from the point of view of the i-th 
cell. A sequence 0, gi, . . . , of states of M is , . ^ ^ i ,,, 

if there exists a sequence of tape symbols oq, ai, . . . , an, such that (1 ) oq is the 
tape symbol contained in the t-th cell at the start of computation, and (2) if the 
position of the head of M in the j-th step is i, then bM{<lj,aj) = {qj+i,aj+\) , 
otherwise Oj+i = Uj. 

Note that a sequence of states is valid, if and only if it is valid with respect to 
the t-th cell, for all 0 < i < 2^. In Figure 4 we give a system F of set constraints 
which is solvable, if and only if M does not accept u. 

In the constraints we use the following variables: P = Pi,. . ■ ,Pn (related 
to the position of the head), A = Ai, . . . , Am (related to the address of a cell), 
X = Xi , . . . , (related to the content of the cell pointed by A), Q = 

Ql,. ■ ■ ,Q\iog 2 K'\ (related to a state of M). We use a special variable T which 
is a sign of invalid computation and variables K which are supposed to code a 
color (i.e. an element from {a,/?, 7}). 

One can prove the following lemma. 

Lemma 8. A^ , ^ . i ■ ■ , - , i >' ■ Af , ' > , , ■ 

. fo, fqi, ■ ■ ■ fqn 7^ 0. i = l,...,n 



® We can use nondeterminism here because EXPSPACE=NEXPSPACE. 

^ We can easily transform any Turing machine, so as it meets this condition. 
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Vt = /o(s) : (ifin s) / (Jf in t) V start(t) A Tin t A (T in s V nacc(s)), (20) 

Vt = /i(s): (Jifint) = (Jfins)A (21) 

((T in s) V (Tin t A good^(t, s)) (for all 0 < i < Jf), (22) 
V (Tint A badi(t,s))) 

where 



nacc(t) 

start(t) 



badi(t, s) 
goodi(t,s) 
<Pi 

nexti(t, s) 



/\ (Qint) 7^ i, 

i^Q p 

(Pint) = 0 A (Qint) = OA 

[{A in t) > n A {X in t) = OW \J (A in t) = i A {X in t) = Ui) 

l<i<n 

{A in s) = (Pin s) A 6M((Qin s), (X in s)) = (ji,w), where j ^ i 
nexti(t, s) A (A in t) — (A in s) A (Q in t = i) A (<?>i V ^)) 
(Ain s) = (P in s) A 6m(Q in s, X in s) = (i, X in t) 

(A in s) 7 ^ (P in s) A (X in t) = (X in s) 

( (P in t) = (P in s) + 1, if i e Qfi 

1 (P in t) = (P in s) — 1, it i & Ql 



(23) 

(24) 

(25) 

(26) 

(27) 

(28) 

(29) 

(30) 



Fig. 4. Constraints •f' 



Now we give some intuition how Aip works on t-graphs which possibly code 
computations of M. The main idea is as follows: successive vertices of a t-graph 
describe successive states of computation of M from the point of view of the fc-th 
cell. The number k is coded in A, and X represents the content of the cell within 
the computation. nexti(t, s) describes changes of the position of the head, nacc(t) 
says that the state coded in vertex t is not accepting. The expression goodj(t, s) 
guarantees that consecutive vertices have proper values of P, A, Q, X: the value 
of P is incremented or decremented dependently of the state, the value of A is 
copied (since we still look at the same cell), and the value of Q, which codes a 
state, changes according to the label of the node. The value of X changes only 
if the head of the machine M looks at the selected cell. These changes have to 
agree with the transition function of M. The expression badi(t, s) says that i 
cannot be the next state of M, if the current state was coded in s. 

The next lemma relates cycles of the form /o, /gi, • ■ • /g„ with computations 
of M. 

Lemma 9. A^ ^ ^ ^ ^ ^ /o,/gi, ■•■/«„ * = 

. , - , , , , 0,gi,...,g„ , . - , - 

Lemmas 8, and 9 suffice to conclude that A^ accepts all finite t-graphs iff 
M rejects u. So, thanks to Lemmas 1 and 2, M rejects u iff the system W has a 
solution, which completes the proof of Theorem 3. 
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6 Future Works 

It could be useful to find some other variants of set constraints for which the sat- 
isfiability problem over sets of regular terms is decidable. Particularly, it is worth 

to consider so called definite set constraints [HJ90] for which the satisfiability 

problem over the Herbrand universe is EXPTIME-complete [CP97]. 
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Abstract. We discuss the benefits of complete unsound inference pro- 
cedures for efficient methods of disproof. We give a framework for con- 
verting a sound and complete saturation-based inference procedure into 
successive unsound and complete procedures, that serve as successive 
approximations to the theory. The idea is to successively add new state- 
ments in such a way that the inference procedure will halt. Then the 
satisfiability is evaluated over a stronger theory. This gives an over- 
approximation to the given theory. We show how to successively compute 
better over-approximations. Similarly, a sound an incomplete theorem 
prover will give an under- approximation. In our framework, we succe- 
sively compute better over and under-approximations in this way. 

We illustrate this framework with Knuth-Bendix Completion, and 
show that in some theories this method becomes a decision procedure. 
Then we illustrate the framework with a new method for the (nonground) 
word problem, based on Congruence Closure. We show a class where this 
becomes a decision procedure. Also, we show that this new inference sys- 
tem is interesting in its own right. Given a particular goal, in many cases 
we can halt the procedure at some point and say that all the equations 
for solving the goal have been generated already. This is generally not 
possible in Knuth-Bendix Completion. 



1 Introduction 

The major problem in automated theorem proving, that of deciding the unsat- 
isfiability of a set of statements, is undecidable in general. This is true in first 
order logic and equational logic, for example. There exist sound and complete 
theorem provers. If a theorem prover is sound, then that means that when it 
gives a proof of a theorem, you are guaranteed that it is correct. If a theorem 
prover is complete, then when a conjecture is true, a proof is guaranteed to be 
found. 

Automated theorem provers have been used to prove difficult theorems. But 
the search space is so large that in practice, more efficient incomplete sound 
theorem provers are often used. Then proofs can be trusted, but disproofs cannot. 

Our focus in automated theorem proving is not in finding proofs for difficult 
mathematical theorems. Instead, we are interested in using theorem provers to 
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solve verification problems. When used in that context, many of the conjectures 
given to a theorem prover will be false. So we would like to be able to trust a 
result that a conjecture is false. In that case, incomplete theorem provers are 
useless. Also, complete and sound theorem provers are generally not so efficient. 

Therefore, we create a framework for unsound complete theorem provers for 
disproving conjectures. This technique is useful to weed out theorems which are 
obviously not true. There are simple examples where theorem provers run forever 
trying to solve conjectures that are trivially false to a human. In addition, we 
could use an unsound and complete theorem prover in combination with a sound 
and incomplete theorem prover to approximate a conjecture from both sides. 

The framework given in this paper is for saturation theorem provers, which 
operate by continually inferring new statements implied by previous statements. 
Our framework consists of a modification to a saturation theorem prover. We 
modify it by adding statements that are not necessarily implied by previous 
statements. These potentially false statements are chosen in such a way as to 
force the theorem prover to halt. The effect of this is to evaluate a stronger 
conjecture. The procedure is complete, so that if the stronger conjecture is false, 
then the given conjecture is false. The theorem prover has approximated the 
theory with a stronger theory: an unsound approximation. 

We iterate this process. We run the theorem prover again, but this time try 
to approximate the theory with a weaker theory than before In this way, we 
continually approximate the given theory. 

In our framework, we have also shown that it is possible to create a weak 
approximation, and gradually attempt to make this approximation stronger. We 
iterate the construction of the two approximations, one strong and one weak. 
Anything found true in the weak one is true, and things found false in the strong 
one are false. In some cases this becomes a decision procedure. 

There is another benefit to our framework that might not be so obvious. 
Suppose that we have a complete theorem prover that halts without proving the 
conjecture. Then that final saturated set is a disproof of the conjecture. Our 
unsound method is complete, so that it gives a disproof, although in a stronger 
theory. This has in effect abstracted properties from the conjecture and disproved 
the abstraction. We argue that in this abstraction the disproofs will generally 
be shorter and easier to understand than disproofs in the original theory. 

For examples, we instantiate this framework with two concrete inference sys- 
tems. First is Knuth-Bendix Completion [3], where we show a class of theories 
where this becomes a decision procedure. However, the direct purpose of this 
paper is not in finding new decision procedures; that is only an example of the 
kinds of things that can be done within this framework. 

The second inference system which we use to instantiate this framework is a 
new inference procedure, as far as we are aware. It is based on Abstract Con- 
gruence Closure, for ground equational theories [4, 6] which we extend to non- 
ground theories. For this inference system, we show that it is sometimes possible 
to examine the set of equations during the derivation and deduce that the con- 
jecture can never be proved from this point. This is generally impossible to do in 
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theorem proving, because even if the equations become large, it is always possible 
that an equation can be simplified to a smaller one. 

In Section 2, we introduce theorem proving derivations, and give the frame- 
work for unsound theorem proving. In Section 3, we instantiate the framework 
with Knuth-Bendix Completion. In Section 4, we introduce Nonground Congru- 
ence Closure and instantiate the framework with that. We conclude the paper 
with a discussion of how to apply this method to Resolution and Paramodula- 
tion inference systems, and a comparison with related work. This paper does not 
contain any of the proofs. All of the proofs and all of the technical details can 
be found at www.clarkson.edu/~clynch/papers/uf.ps/ 



2 Framework 

Basic definitions of Theorem Proving Derivations are from [2,9]. A 
inference system is an inference system that starts with some set of statements, 
and uses transformation rules to create new statements and delete old ones. 
Transformation rules are of the form F — > A, where F and A are both sets 
of statements. The meaning of a transformation rule is that the statements in 
F should be replaced by the statements of A. There are two kinds of trans- 
formation rules: inference rules and deletion rules. , , , , , are of the 

form {C'i,---,C„} — > {Cl, ■ ■ ■ ,Cn,Cj. It indicates that in the presence of 
Cl, • • • , C„, C should be added. We will write that inference rule in the following 
notation: 

Cl • • • C„ 

c 

, ^ will be of the form {Cl,- ••,C„} — > {C2, •••, C„, £>i, •••, £),„}. 

This means that if the statements Ci, • • • , C„ exist in the current set of state- 
ments, then Cl should be deleted and I?i, • • • , Dm added. Inference rules repre- 
sent rules that must be performed in an inference procedure, and deletion rules 
may be performed if desired. 

Given a set of inference rules I and deletion rules D, an (I,D) ^ ^ ^ , 

is a (possibly infinite) sequence Si, S 2 , - • • of sets of statements such 
that each S'l+i is obtained by applying an inference rule from / or a deletion 
rule from D to clauses of Si. We define Soo = Ui>=i rij>=i The clauses in 
Sao represent the set of , , , statements, i.e., the statements that are never 

deleted after i for some i. Given a set of inference and deletion rules, since we 
assume they are applied according to some strategy, we can assume there is one 
theorem proving derivation for each set of statements. 

We assume a well-founded ordering < on the statements. Based on that 
ordering, there is a notion of redundancy. A statement C is . ^ ^ in S' 

if there are statements Ci,---,C„ G S such that each Ct < C for all i, and 
Cl, • • • , C„ \= C. We will construct the deletion rules so that they cannot be 
performed unless Ci is redundant in {C 2 , • • • , C„, £>1 • • • Dm}- A set of statements 
S is said to be ^ . if the conclusion of every inference from S is either in S 
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or is redundant in S. A theorem proving derivation Si, S 2 , ■ ■ ■ is , if for every 
inference from Sqo with conclusion C, there exists an i such that C € Si or C is 
redundant in Si. If S'!, 5*2, • • • is fair, then S^o is saturated. 

The inference rules are ^ ^ ^ . ii Ci, - ■ ■ ,Cn\= C . The deletion rules are ^ ^ ^ . 
if Cl, • • • , C„ \= Di for all i. Inference rules are designed so that each saturated 
set has certain properties. The most common is the refutational property. In 
that case, we distinguish a new atom called T, usually called the empty clause, 
which indicates that a set of statements is unsatisfiable. We have the important 



definitions of ^ ^ ^ ^ ^ ^ and ^ , 


' ; 1 1 


of an inference system. 


Definition 1. 


, , I 


/ - - ' / / ' 1^1 sound , , 




,, ^1,^2, 


•••_ T G Soo ' , Si , , , , 


I complete , T G S' , 




.. s 



It is obvious that a set of inference and deletion rules is sound if each indi- 
vidual inference and deletion rule is sound. 

From the definitions of soundness and completeness, we see that If we can 
show that a sound set of inference rules produces T from S, then S is unsatisfi- 
able. Analogously, if we can show that a complete set of inference rules does not 
produce T from S then S is satisfiable. Exhibiting the entire theorem proving 
derivation gives us a proof of unsatisfiability (or satisfiability) in their respective 
cases. Obviously, this is only possible if the theorem proving derivation is finite. 

Smaller proofs are preferable. For a proof of unsatisfiability, it is only neces- 
sary to give the set of statements and inference and deletion rules that leads up 
to T. Therefore, it is necessary to save histories throughout the theorem proving 
process, or have some way of reconstructing them. 

For a proof of satisfiability, we may be able to dispense with the history 
altogether. In that case, it is enough to exhibit just and Soo (if it is finite), as 
long as we can prove that (i) T ^ S'oo, (ii) Soo is saturated, and (iii) Soo |= S\. 
The first fact is trivial to show. The second fact can be easily shown for most 
redundancy rules used in practice by examining all the inferences from Soo ■ The 
third fact is usually easy to determine, since Soo is saturated, but that depends 
on the inference system. For the examples in this paper, it will be easy. 

Ideally, a theorem prover should be sound and complete. Then we are guar- 
anteed that the existence or non-existence of T determines whether a set of 
statements is satisfiable or not. Of course, the problem of theorem proving is, 
in general, undecidable for first order logic. So, in practice, theorem provers 
that have proved important results are not always complete. For example, the 
Robbins Algebra problem was proved with an incomplete theorem prover [8] . 

Throughout the history of automated theorem proving, until very recently, 
much of the emphasis has been on solving very hard theorems. A theorem proving 
contest is run every year at the CADE conference, with the main emphasis 
on proving unsatisfiability. In the past, theorem prover developers have come 
up with sound and incomplete methods that prove some theorems where some 
complete methods fail. A simple example of a sound and incomplete strategy 
is that strategy which discards every clause with more than a given number of 
symbols. 
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2.1 Modifying Sound and Complete Derivations 

In this paper, we are interested in satisfiability. Therefore, we will develop strate- 
gies that destroy soundness but do not destroy completeness. Soundness of an 
inference system is implied by soundness of the inference and deletion rules. We 
will relax that requirement. In particular, we will allow unsound deletion rules, 
while still requiring the inference rules to be sound. We will keep the requirement 
that deletion rules only remove redundant statements. Therefore, the inference 
systems we consider will still be complete, but not sound. 

In the rest of this section, five different ideas will be discussed. First is the idea 
of ^ ^ ^ ^ ^ ^ ^ . That is the idea of modifying a sound and com- 

plete theorem proving procedure so that it may be unsound, but that it remains 
complete and it terminates, so that it can decide satisfiability in some cases. 
The second well-known ideas is ^ ^ ^ ^ ^ , which modifies a 

sound complete theorem proving procedure so that it may become incomplete, 
but it remains sound and it terminates. This procedure can show unsatisfiability 
but not satisfiability. The third idea is , , , , - , ■ , , ' • This 

iterates Unsound Theorem Proving, with the goal of becoming more and more 
sound each time, thereby proving the satisfiability of more statements. The third 
idea is , , ■ ^ , ■ , , ' which iterates Incomplete Theo- 

rem Proving, with the goal of becoming more complete each time. The final idea 
is , ■ / / ' ’ which simultaneously 

iterates Unsound and Incomplete Theorem Proving. 

The idea of Unsound Theorem Proving is presented now. After each inference 
rule is performed, we look at the conclusion. In some cases, we will keep the 
conclusion. In other cases, we will perform a deletion rule where the statements 
Di, • • • , Dm might not follow from previous statements. Therefore, the inference 
rules remain sound, but the deletion rules do not. This gives us an unsound but 
complete finite theorem proving derivation. We will assume that all the Di come 
from a predetermined finite set F, so it will prove whether or not a larger set 
of statements is unsatisfiable. If this larger set is satisfiable, the original set is 
satisfiable. Since F is finite, this procedure must halt. 

For Incomplete Theorem Proving, we also look at the conclusion of each 
inference. If the conclusion is not in F, then we do not add it. Therefore, we lose 
completeness. But since F is finite, the procedure terminates. 

For Iterative Unsound Theorem Proving, we run the Unsound Theorem Prov- 
ing Procedure. If this returns “unsatisfiable” to us, then we cannot be sure that 
the answer is correct, because of unsoundness. So we repeat the procedure with a 
larger set F. And this process is iterated. Iterative Incomplete Theorem Proving 
is similar, except that in this case we cannot trust a result of “satisfiable”, so in 
that case we iterative Incomplete Theorem Proving for a larger value of F . 

Iterative Unsound and Incomplete Theorem Proving is a combination of the 
two processes. We choose an F, then run the Unsound Theorem Proving pro- 
cedure for that F. If it returns “unsatisfiable”, we run the Incomplete Theorem 
Proving procedure for the same F. If that returns “satisfiable” we choose a larger 
value of F and iterate. 
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Define an F-replacement deletion rule as follows: 

Definition 2. F, ■ , , - ' > {C, Di, ■ ■ ■ , Dm} 

{Di, - ■ ■ ,Dm} , , i^-replacement , C^F ^ _ _Di, •••,£)„ G F 



If / is a set of inference rules, and I? is a set of deletion rules containing an 
F-replacement rule, and F is a finite set, then every (/, D) derivation is finite, 
because only statements from F are saved. The key idea of this paper is that 
a complete set of inference and deletion rules can be augmented with an F- 
replacement rule, so that any derivation from the augmented set of rules will 
halt, and if _L is not generated from S then S is satisfiable. 

We describe the Iterated Unsound and Incomplete Theorem Proving Process. 
Let S be the set of statements for which we want to decide satisfiability. Let I and 
F be a sound and complete set of inference and deletion rules. Let F = Fi, F 2 , • • • 
be a monotonic sequence of finite sets of statements, i.e., F^ Q F^+i for all k. 
We define F^o = Ufc>i For each k let Ik be a modification of / such that all 
inferences with a conclusion not in Fk are not performed. For each k, let Dk be 
D augmented with an Fk replacement rule. Then the (I,D,F) . , , 

S is the following: 

1. Let k = I 

2. Let Soo be an (/, Dk) saturation of S. 

3. Let Too be an (Ik,D) saturation of S. 

4. If T ^ Foo, halt and say SATISFIABLE. 

5. If T e Too, halt and say UNSATISFIABLE. 

6. Let k = k + 1 

7. Go to 2 

Note that steps 2 and 3 can be computed in finite time, since each Fk is finite. 
We will show that this process is sound. In fact we extend the definition of sound- 
ness to say that if T is not produced or if the function returns SATISFIABLE, 
then S is satisfiable. The process is complete if F^o contains all statements. 

Theorem 1. I D 

F . ‘ 

‘SCF, 

SCF^ , , (I,D,F)^ 

■ . ; . ^ r , 

iI^D,F)^ 




The proof is due to the fact that each (/, Dk) derivation is finite and complete, 
and each (Ik,D) derivation is finite and sound. Recall that deletion rules only 
remove redundant statements. 



^ This is true, for example, if Fao contains all statements. 
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We often consider Foo to be the set of all statements, then it is trivially the 
case that all derivations from S C F^o only contain statements in F^. 

We point out some of the benefits of this procedure over the (I, D) procedure. 
First of all, if a set of statements is satisfiable, then this procedure is more likely 
to give an answer. There are simple cases where sound and complete derivations 
will not halt. We give some examples later in the paper. Also, suppose that 
we have a set of satisfiable statements S, for which the (/, D) derivation is 
finite. It still might be better to use an (I, D, F) derivation, because the proof of 
satisfiability might be simpler. A stronger theory may have a smaller saturated 
set, and therefore a smaller proof. 

The (/, D, F) derivation might actually become a decision procedure. We give 
some examples later in the paper. An example of this is when for every satisfiable 
set of statements S, there is a fc such that T is not in the (/, derivation. 



Theorem 2. (I,D) , 

' , , SC G^, 

S , (I,D,F) 




F . 

S CFol[ ^ ^ ^ 

.. Gfc C Afc , , , 

, (I.Dk)- 

, , , - „ S&Goo 



It is not necessary to know that the (/, D, F) procedure is a decision pro- 
cedure in order for it to be one, whereas it is necessary to know in advance if 
the (Ik,D) derivation is a decision procedure in order for it to be one. We will 
discuss that issue further in the next section. 

These ideas can also be applied to existential problems, i.e., unification prob- 
lems. In that case, the (/, Dk) and the {Ik, D) derivation both produce a complete 
set of unifiers. One is an over-approximation, and one is an under-approximation. 
This could be a useful way to approximate unification. 



3 Knuth-Bendix Completion 

We have presented an abstract framework for using unsound theorem proving to 
determine satisfiability, and develop decision procedures. But that framework is 
not useful unless some interesting examples fit into the framework. In particular, 
what are the Fk in the sequence Fi, F2, ■ ■ ■, and even more important, what are 
the values of the Dk used in the Fk replacement deletion rules. 

Next we extend this framework to Knuth-Bendix Completion [3], which is 
an inference system over equations s ~ t and disequations s ^ t. Completion 
consists of Inference rules Critical Pair, Narrowing and Equation Resolu- 
tion, plus Deletion rule Simplification. Now we will apply our framework to 
Knuth-Bendix Completion. First we define the sequence Ei, F2, • • •. 

Definition 3. ^ . t, , |t| . , ■ • ; - ; , , • > , ’ • • , , 

t , S"k , , , , ; / 1 ~ ^ / - - / / / / ® 9^ C |s| < fc 

, - |f| ^ fc 
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Clearly F^o is the set of all equations and disequations. Another possibility 
for Fi; is to let fc be a limit on the depth of the terms in Ff^. The replacement 
deletion rule is to add an equation that subsumes one not in Fj^: 

Definition 4. Unsound Subsumption _ , , , {A} — > 

{A') A'a = A a, A^ Fk , - A' eFk 

This replaces an equation or disequation A, with A' where A' is a new equa- 
tion or disequation that strictly subsumes A, and A' G F^. It is easy to find such 
an A! . It is just necessary to replace subterms in A with variables. The best idea 
is to replace as few subterms as possible, so that A' is in Fk but not in Fk-i- 
Next we show how the (I, D, F) derivation becomes a decision procedure for 
some theories (sets of equations). For example, consider the theories E we will 
call^ , , ' > , I 1 ■ 

Definition 5. E , , E size preserving linear , 

. s « t G A, |s| = |t| ^ ^ ^ ^ s « t 

We prove that this property is preserved by inferences and deletions. 
Lemma 1. , ' . . , , , . ^ 



We also show that inferences among size preserving linear equations can 
never result in a smaller equation. We actually prove something more general 
than that, because we will need it later. Let’s define |s « t| = min{\s\, |f|}. 

Lemma 2. n ^ ^ ^ 

|ei| > n, ^ . \c2\ > n ^ 

I I ' I I I I • I j I - ' t I 

, - 62 , leal > n 

We use these results to get a decision procedure. 

Definition 6. ,, k, - Gk . . r , 

, , , , Fk. , - , , , , 

The following theorem is implied by the fact that once an equation e outside 
of Gk is created, then any rule with e as one of its premises will have a conclusion 
that is not in Gk- 

Theorem 3. (I,D) . , ^ ^ ^ , , - > , • ' , , 

, (4,D) , . , , , , ‘ L gI‘ 

There is a similar theorem for unsound derivations. 

Theorem 4. I . D . , ^ ^ , , > , , • > t ■ > 

OO 



ei , . 62 . , , , , 

62 , , , , - , , 63 . 



S' G< 
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As we did in the framework, we once again point out the distinction be- 
tween those two theorems. For Theorem 3, it is necessary to know in advance 
that will be a decision procedure. But for Theorem 4, (I,D,F) is a 

decision procedure, and it is not necessary to know that in order for it to be 
one. For example, (I,D,F) is a decision procedure for the theory {f{f{x)) « 
g{f{x)),h{a) « b}, whereas (Ik,D) would require a new theorem in order to 
turn it into a decision procedure. It is worth pointing out that Knuth-Bendix 
Completion will normally not halt for many size preserving linear theories, such 
as {/(/(a:)) « g{f{x))}. 

4 Nonground Congruence Closure 

Now we extend the Abstract Congruence Closure algorithm of [6, 4] to equations 
with variables. That algorithm works by creating new constants representing 
equivalence classes of terms. In our approach, we create new function symbols in 
addition to new constants. The function symbols when applied to terms repre- 
sent equivalence classes. So the function symbol itself represents a parametrized 
equivalence class. We apply the Knuth-Bendix procedure to the flattened equa- 
tions. The result might not be flat. Therefore, we flatten the conclusion of the 
inference, and create a new function symbol. This process can go on forever, but 
it is still complete, if we order the new (possibly infinitely many) symbols in a 
well-founded way. 

There are some advantages of this approach over Knuth-Bendix Completion. 
Equations are kept small, and inferences are easy to perform. The ordering used 
is trivial to calculate on flat terms. Also, rewrite chains are polynomial in the 
number of equations. 

Unfortunately, this procedure may not halt on sets of equations where Knuth- 
Bendix Completion halts. However, when we apply unsound theorem proving 
to this method, it appears to have advantages over Knuth-Bendix Completion. 
In many instances of traditional theorem proving, it is possible to tell that if 
there was a proof we would have found it already. This corresponds to Knuth- 
Bendix Completion being able to determine that all future equations will be 
larger than a given size. As far as we know, there is no way to do that in Knuth- 
Bendix Completion, aside from coming up with some meta-theorem, as in the 
previous section, or using unsound theorem proving. In the Congruence Closure 
method, unsound theorem proving is not even necessary. Although we present 
it to strengthen this approach, and to handle additional classes of equations. 

4.1 Nonground Congruence Closure 

We will now define Nonground Congruence Closure. First, define the , Ht{t) 
of a term t such that Flt{x) = 0 for all variables x, and i7t(/(fi, • • • , t„)) = 
l + max{F[t{t\), • • • , Flt{tn)}- Let ^ (t) be the set of all variables occuring in t. 
The. ofxG ^ (t) is defined as dep</i(a;, a;)=0 and depf/i(x, /(ti, •••, t„))= 
1 -I- max{depth{x,ti , || a; S Vars{ti)}. Let root{t) be the top symbol of t. We 
define ^ ^ ^ ^ . All equations can be flattened. 
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Definition 7. ^ ^ ~ ^ ' ( ) Ht{s) <2 ^ _ Ht{t) < 1, ( ) 

Vars{t) C Vars{s) , - t , , - ( ) . depth{x,s) =2 ^ ^ 

^ s 

When restricted to ground terms, this definition is the same as the usual 
definition of fiat ground equations. Note that a term of height 1 is of the form 
f{xi, • • • , Xn), where n > 0. All equations can be flattened. 

We are going to consider a signature S, and an infinite set of new function 
symbols C = {ci, C 2 , • • •}. Let Ec = A U C be an extended signature. 

Ordering: We assume a total precedence <p on the symbols, with the require- 
ment that arity(f) < arity{g) implies that / <p g. Furthermore if i < j and 
arity{ci) = arity(cj) then Cj <p cj. This last fact guarantees that the precedence 
order is well-founded. From the precedence ordering, we can define an ordering 
< / on ground terms. 

Definitions. s = /(si, • • • , s„) t = g{ti,- ■ ■ ,tm) , s>ft, 

|s| = \t\ , - f >P 9. , 

|s| = W , - f = 9 , - >/ 

The relation </ is really a well-founded monotonic ordering, and it is simple 
to compute on fiat equations. 

Theorem 5. </ , , ^ ' , , / ■ / ; / 



This ordering can be extended to a total ordering on ground terms by com- 
paring sets of subterms lexicographically in case 3 of the definition of the order. 
We extend </ to nonground terms as usual: s >/ t if and only if sct >/ ta for 
all ground substitutions a. 

For fiat terms, it is especially simple to compare sides of fiat equations in 
the <f ordering. We simply compare the height of the terms. If the heights are 
equal, then we compare the precedence of the root symbols. 

Theorem 6. ^ ^ ^ -,,>'•() Ht{s) > 

Ht(t) ^ ( ) Ht{s) = Ht{t) ^ - root{s) >p root(t) 

Note that all for all fiat equations s « t, s and t can be compared using 
the < f ordering, except for equations of the form f{xi, • • • , Xn) ~ /(j/i, • • • , y-n) 
where xi, - ■ ■ ,Xn is a permutation of j/i, • • • , y„- 

Flattening. Now we define how to flatten a set of equations E using the fol- 
lowing rules. The resulting fiattened set will be called flat{E). 



^ Each variable occurs at most once in t. 

® Here we mean the multiset extension of >/. 
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1. If u[s] ^ V € E and Ht{s) = 2, and either Ht{u[s]) > 2 or Ht{v) > 1, 
then replace u[s] « v with u[c{xi, • • • , x„)] « v and s « c{xi, • • • , x„), where 
{xi, ■ ■ ■ , Xn} = Vars{s), and c is a new function symbol from C. 

2. li u V G E and Elt{u) < 2 and Ht{v) = 1 and both of the following hold: 

(a) u is not linear or Vars{u) ^ Vars{v) or EIt{u) = 2, and 

(b) V is not linear or Vars{v) ^ Vars{u) 

then replace u ~ v with u « c(xi, • • • , x„) and v « c(a;i, • • • , cc„), where 
{xi, ■ ■ ■ , Xn} = Vars{u) n Vars{v), and c is a new function symbol from C. 

3. Suppose that u~vGE such that Eft{u) = 2, Elt{v) < 2 and v is linear and 
Vars{v) C Vars{u) and there is some variable x such that depth{x,u) = 2 
and occur{x, u) > 2 . 

Then let u' be the term formed from u by, for all y G Vars{u), replacing 
the occurrences of y with new variables t/i, • • • , yoccur{y,u)- Define a substitu- 
tion 7 such that, for all yj created in the previous sentence, = y. Let Z 
be the set of all all the new yj created. Obviously Z is the domain of 7 , and 
Vars{u) is the range. Let z\, - ■ ■ ,Zm be an enumeration of the members of 
Z. 

Finally, replace v with u' « 0 ( 2 : 1 , • • • , Zm) and 0 ( 2 : 17 , • • • , Zml) ~ v- 

This procedure will always halt in a flat set of equations which is a conser- 
vative extension of the original set. 

Lemma 3. ^ ' E, ^ , , ' , - > , i i ^ 

, - f^o-t{E) \ ^ ^ ^ ‘ 

The inference and deletion rules for Congruence Closure are the same as the 
inference and deletion rules for Knuth-Bendix Completion, with the addition of 
one flattening deletion rule that will be performed once after a non-flat equation 
is created by an inference or deletion rule. 

Flattening: 

u ~ V 

M « 0 (xi, • • • ,X„) V K C{xi,- ■ ■ ,Xn) 

where u ~ v is not flat^, {a;i, • • • , x„} = Vars{u) C Vars(v), and c is a new 
function symbol from C. 

Note that the result of a Critical Pair or Simplification Rule will be an equa- 
tion u sz V such that Ht{u) < 2 and Eft{v) < 2. 

Lemma 4. , ci . 62 ^ , ' , , , 

. , , ' ei ^ . 62 t > t ; ; / ^ ~ Ht{u) < 2, Ht{v) < 2, 

, - M , , , , , , ^ I depth{x,u) = 2 ^ _ occur{x,u) > 2 , ^ . 

V ^ ^ , , , , ^ t depth{x,v) = 2 ^ . occur{x,v) > 2 

Therefore, the conclusion of Flattening will always be a flat equation, since 
c{xi, • • • , Xn) is linear, and all of its variables also appear in u and v. 



For instance, because Ht{u) = Ht{v) = 2. 



4 
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Compare equations by defining s « < </ u « if {s, t} </ {u, u}, where </ is 
its own multiset extension. These two new equations are smaller than the one it 
is replacing. For example, Ci(a;i, • • • , x„) <f u, because Vars{ci{xi,- • • ,Xn)) Q 
Vars{u), ci{x\, ■ ■ ■ ,Xn) is linear, and 

1. Ht{u) = 2, or 

2. Ht{u) = 1 and there is a variable in u that is not in ci(xi, • • • , x„), so 
arity{c) < arity{root{u)), or 

3. Ht{u) = 1 and u is not linear, so arity{c) < arity{root{u)) . 

Since the two new equations imply the replaced equation, and because the 
new equations are smaller, this is an instance of removing a redundant equation. 
Therefore, the Congruence Closure inference system is sound and complete. 

Theorem 7. r - . , . , , , 



4.2 Fitting into Framework 

Now that the Nonground Congruence Closure inference procedure is defined, 
we fit it into our framework. We have defined the inference rules so that all 
equations are fiat, but the disequations are not necessarily fiat. It would also be 
possible to flatten the disequations, but we chose not to approach it that way. 
For unsound theorem proving, we need to define a sequence Fi, F 2 , • • •. 

Definition 9. F]~ , , , ■ i, i, - - , , , , , •, >> 

s ^ t ^ Fk, |s| < A: ^ . |t| < /c, ^ . t t >' • t 
, Fk . , , ^ ^ , FU {ci,- • ■ ,Ck} 

Then the Ffc replacement rule is the , , > , > ^ i, deletion rule. 

Definition 10. Combine Equivalence Classes ^ > {u = Cj(xi,- ■ 

x„)} — > u = Ci{yi, - ■ ■ ,yjn)}, j > k, i < k, arity{a) < arity(cj)^ , , _ 

{ 2 / 1 , •••,2/m} C {xi,---,Xn} 

Notice that each Fk is finite, and that the Combine Equivalence Classes rule 
will replace a term not in Fk with a term in Fk, assuming that A is not a disequa- 
tion with too many symbols on one side. But we will use this rule in inferences 
where such rules are never created. The Combine Equivalence Classes rule has 
the effect of preventing the inference procedure from creating new function sym- 
bols at some point, which creates an unsound, complete inference procedure. 

Given an equation s ~ t G E, we sometimes write it as s ^ t if s >/ t. 
Then ^ represents the rewrite relation, and represents its reflexive and 
transitive closure. We will define a size function called , ^ ^ on all symbols 

and all terms, with respect to a set of equations. The intention will be that 
minsize{t,E) = min{\s\ \ s G and s t}, where minsize{t) = |t| for all 
t G T„. 



® We can assume some initial constant a, or set of constants with small arity, if 
necessary so that this is always posssible. 
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Definition 11 . E , ^ , , i • ^ ■ , • , , 

0 , . ■ ■ ,tn),E) = I + Si<i<nminsize{ti,E) ^ ^ 

(c, E) = min{minsize{t, E) \ t ^ c{xi, • • • , x„) G E} 

In the long version, we show that for every term t, minsize has some value, 
and minsizeit, E) is the size of the smallest term in Ts which rewrites to t. 

For any term t, define maxsym{t,E) = max{minsize{c, E) | c is a symbol 
in t}, and define maxsym{s ~ t,E) = min{maxsym{s, E),maxsym{t, E)}. If 
u >f V, then define an equation u « v G if to be i ^ ^ , if maxsym{u, E) < 

maxsym{v,E) and every variable of u occurs in v. 

Lemma 5 . 61^-62./ , , , maxsym{ei, E) > n ^ _ 

62 , ' , - , maxsym{e2, E) > n , ^ , 

^ ei ^ - 62 , maxsym{ez, E) > n 

This theorem can be used to show that the traditional and unsound decision 
procedures can become decision procedures in some cases. 



Lemma 6. 


n , 


- V , , ^ ^ 




\u\ <n ^ . |v 


< n 


‘ ' ‘ ' 


t ' t t • t t ' 






II ; 

V) 


s t G S' 1 maxsym{s) < n ^ . 


maxsym{t) < 


n} . 


, , , 


i i ' i i ' t ' 1 


f 1 ^ 1 ' 


i - •*' 




- , r , Sn U {u ^ v} ^ 



The lemma follows from the fact that for an expanding set of equations, once 
an equation s « t appears with maxsym{s) > n or maxsym{t) > n, then any 
descendent of that equation will also have that property. 

Suppose that we are trying to prove the unsatisfiability of a set or equations 
and disequations. And supppose that at some point of the theorem proving 
derivation, we have saturated all equations of the form s « t with maxsym(s) < 
n and maxsym{t) < n. If all such equations are expanding, then (In,D) is a 
decision procedure for the word problem for any equation u ~ v with |u| < n 
and |u| < n. Furthermore, the (I,Dn,F) procedure will be a decision procedure, 
even though we may not know that it is. 

If we can show that some set of equations S will only create expanding 
equations in the saturation, then the (/, D, F) procedure is a decision procedure 
for S. For example, we can show that it forms a decision procedure for size 
preserving linear theories. 

Theorem 8. (/, D,F) ^ ^ - , , ; , , - ' 



Finally, we consider another interesting theory, where Knuth-Bendix Com- 
pletion does not halt, but it is not size preserving. The theory is {f{g{f{x))) « 
g{f{x))}. If we flatten this theory, we get equations g{f{x))=ci{x) and /(ci(x))= 
ci(x) (assuming a simplification). There is one inference that can be done on 
these two equations. Its result adds the two equations g{ci{x)) = C2(x) and 
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ci(ci(a:)) = C 2 {x). If we could continue this process infinitely, then for all i and 
j, we get f{ci{x)) = Ci(x), g(ci(x)) = c^+i(x) and Ci(cj(x)') = Ci+j(x). Notice 
that minsize{g, E) = minsize{f, E) = 1, and minsize{ci, E) = t + 1 for all i. 
All of the rules in the infinite saturated set are expanding, so both the unsound 
and traditional method will give us a decision procedure. 



5 Conclusion 

We have discussed the benefits of unsound theorem proving, for disproving con- 
jectures. It can often find disproofs when traditional methods do not. 

We gave a framework for unsound and complete theorem proving, which 
amounts to proof in a stronger theory, which can be decided. We discussed how to 
iterate the process to attempt to find weaker and weaker approximations, and we 
showed how this can be combined with a sound and incomplete theorem prover, 
and how to iterate them both to continually attempt to refine approximation 
from both sides. 

We instantiated our framework with Knuth-Bendix Completion and a non- 
ground Congruence Closure method, based on ground Congruence Closure meth- 
ods [6,4]. Our Nonground Congruence Closure is new, as far as we know. How- 
ever, it is in the same spirit as what is done in [10], which also uses the Knuth- 
Bendix inference rules followed by eaqer splitting of equations introducing new 
constant symbols, and it also has an arity-compatible precedence. The inference 
system of [10] was shown to terminate for standard theories. A difference is that 
we allow depth-2 linear variables to appear at depth one on the right hand side 
of rules. This means that we can capture all equational theories, but of course 
it makes theorem proving undecidable. We gave some evidence to indicate that 
our Nonground Congruence Closure be especially powerful in combination with 
unsound theorem proving. 

We did not discuss how to instantiate the framework with clausal theorem 
proving methods like Resolution and Paramodulation. However, we can quickly 
suggest a method for unsound deletion. In the paper, we have shown how to 
prevent terms from becoming too large. For clauses, we must also prevent them 
from becoming too long. A simple method to do that is to delete some liter- 
als when a clause gets too long. There may be other more sophisticated and 
interesting methods. 

Our work can be compared with other approximation methods. For example, 
[1] shows how to disprove false conjectures by translating them into second-order 
monadic logic. This is an unsound approximation in the same sense as our paper. 
In [7], an efficient approximation of A-unification is given by modifying a goal- 
directed inference method. Those two papers give a single approximation, using 
a completely different method than ours. Many goal directed theorem proving 
procedures and constraint solving methods could be thought of as successive 
unsound approximations. The paper of [5] is close in spirit to our paper. It dis- 
cusses how to get successive approximations by converting first order clauses into 
ground clauses, and then applying a satisfiability test. When a ground solution 
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is found, it must be verified for soundness. It also discusses other approxima- 
tions besides ground clauses. We are not aware of other work besides ours which 
successively modifies a saturation procedure to produce strong models. 
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Abstract. A tableau calculus for a logic with constructive negation and 
an implementation of the related decision procedure is presented. This 
logic is an extension of Nelson logic and it has been used in the framework 
of program veriheation and timing analysis of combinatorial circuits. The 
decision procedure is tailored to shrink the search space of proofs and it is 
proved correct by using a semantical technique. It has been implemented 
in C++ language. 



1 Introduction 

Since the works of Nelson [11] and Thomason [14], logics with ^ ^ ^ ^ . 

(~) have been deeply investigated in the literature. Unlike intuitionistic 
negation (->), where ~^A is understood as “A implies falsehood", the meaning 
of ~ A is defined according to the structure of A, where the notion of falsity of 
atomic formula is as primitive as the concept of its truth (for a thorough discus- 
sion about constructive negation see [17]). Nelson logic N extends intuitionistic 
logic by adding a constructive negation. Accordingly, both positive and negative 
information has a constructive nature; indeed, N enjoys . . ' (if 

a formula AW B belongs to N, then either Aon B belongs to N) and its negative 
counterpart, namely , ' (if ~ (A A B) belongs to N, then either 

~ A or belongs to N). Beyond N, many other logical systems with the same 
constructive features have been studied; for a comprehensive picture, we refer 
the reader to [7], where sequent calculi and Kripke semantics of predicate con- 
structive logics with constructive negation are presented. The interest in such 
logics has been increased thanks to their applications in Computer Science; first 
of all, we mention the relevance of constructive negation in logic programming 
and in knowledge representation (see, e.g., [12, 13]). 

In this paper we focus on a particular propositional logic with constructive 
negation, namely the propositional fragment of the logic E introduced in [10] 
(where E stays for “effective”). Instead of two negations, only the constructive 
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negation is used, but a new unary logical operator (□) is introduced to represent 
, , inside E: a formula OA belongs to E if and only if A is classically 

valid. In the classification of [7], E coincides with the logic N3o, namely the logic 
obtained by adding to Nelson logic the ^ ^ > , ■ , , , ' , ■ ~ 

A). The interaction between constructive falsity and classical truth provides a 
powerful environment where one can embed classical reasoning in a constructive 
setting, and this has a fruitful impact for Computer Science. Two recent trends 
encourage the research in this direction: in [3] it is described a framework based 
on logic E oriented to verification of computer programs; in [5] formal proofs of 
E are used to extract information about the propagation delays of signals in a 
combinatorial circuit (timing analysis). 

In this context, the main contribution of the paper is to supply a space 
efficient tool to generate proofs of E. Firstly, we present a tableau calculus for 
E. Differently from the calculi presented in [1,7], we aim to avoid what might 
produce inefficiency in the proof search task. Along the lines of [4, 9, 16], we avoid 
duplications of formulas: when a rule is applied to a formula A, A must not occur 
in the obtained configuration. The rules for the formulas AV B and ~ (A A B) 
are defined according to their constructive meaning. A peculiar feature of our 
calculus is the combination of constructive and non-constructive tools; indeed, 
in particular configurations, we are allowed to continue a proof by using the 
rules for classical logic. The more expensive task in proof search strategy is due 
to backtracking. Typically, if one fails to build a closed proof table, one has 
to restore some old configuration and try the application of a different rule. In 
our implementation we reduce this kind of backtracking and, using a semantical 
argumentation, we show that the backtracking can be actually limited to few 
rules. 

We have implemented in C++ language a decision procedure for the logic 
E based on the proof search strategy. The program is available at http : // 
WWW . dimequant . unimib . it/elogic/ index . html. 



2 The Logic E 

We consider the propositional language £ based on a denumerable set of 

^ ^ ^ and the logical constants A,V,^ and □. We denote with 

p,q, . . . propositional variables and with A, B, . . . arbitrary formulas. We write 
A ^ i? as an abbreviation of (A ^ i?) A (i? ^ A). A , , is any formula of 

the kind p or ~p, where p is a propositional variable. We denote with Int the 
set of intuitionistic valid formulas of the propositional language £int having as 
logical constants A, V, Cl denotes the set of classically valid formulas of £, 
where □ has to be trivially understood as the identity operator (namely, DA is 
equivalent to A). 

The logic E (in the predicate language) has been introduced in [10], where 
both a natural deduction calculus and a Kripke semantics is provided. In this 
section we outline some results presented in [10]. The logic E can be axiomatized 
by adding to the positive axioms of Int (see, for instance, [15]) the following 
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axioms which characterize ~ as a ^ ^ ^ ^ ^ ^ and □ as an operator to 

represent , ^ ^ , : 

(El). ~(AAB) ^ (~AV 
(E2). ~(AVB) ^ (~AA 
(E3). B) ^ (AA ^B) 

(E4). A^A 

(E5). AAr^A^B 
(E6). (DA A □ ~A) ^ B 
(E7). (~A ^ BA^B) ^UA 
(E8). (A^BA~B)^~DA 

Clearly, E is contained in Cl. Constructive negation (also called^ , , ' , ' , , ) 

is weaker, with respect to provability, than classical negation; as a matter of 
fact, the classical tautologies ~ (AA ~ A), (A — > B) (~ B A) and 
(A — > B) -^^AWB do not belong to E. Moreover, unlike intuitionistic negation, 
constructive negation satisfies the principle of ^ ^ ^ which is 

the negative counterpart of . ^ ^ ^ ^ ^ This means that: 

(cf ) . ~ (A A i?) G E implies ~AGEor~BGE; 

(dp). A V B G E implies A G E or i? G E. 

The □ operator allows us represent , ^ ^ , inside E; indeed: 

(ct). DA G E if and only if A G Cl. 

Intuitionistic validity can be represented inside E by means of a translation 
map T defined on formulas of £int- As a matter of fact, let us define: 

T (p) = p, with p a propositional variable; 

T(A0B) =T(A)0T(B), with 0 G {A,V,^}; 

T(^A) = □ ~A. 



Then: 

(int). A G Int if and only if T(A) G E. 

We point out that in the literature logics with both intuitionistic and con- 
structive negation have been investigated (see, e.g., [7, 11, 14, 17]). The logic E, 
provided we define DA as ^^A, coincides with the logic N3o of [7], namely, the 
logic obtained by adding to Nelson logic N3 the ^ ^ / , ■ , , , ' , ■ 

^^(AV ~A). In [10] it is also presented the logic E*, which is maximal among 
the logics containing E and satisfying (dp), (cf) and (ct). 

To treat constructive negation, we introduce a Kripke semantics equivalent 
to the one in [7, 10]. We denote with (P, <) a ^ ^ (partially ordered set), where 
P is a nonempty set and < is a partial ordering between elements of P; (P, <, p) 
means that p is the minimum element of (P, <). We call ^ , of (P, <) 

any (j) G P that is maximal in (P, <) (that is, for every a G P, 4> < a implies 
4> = a). Given a G P, Fin(a;) denotes the set of final elements (j) of (P, <) 
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such that a < (j). Without loss of generality, we assume that, for every a € P, 
Fin(o;) yf 0. A , ^ , for £ is a structure K = {P, <, p, Ih), where (P, <, p) 

is a poset and Ih (the, , , ) is a binary relation between elements a 

of P and literals I of C such that: 

(Kl). a Ih I and a < (i implies [3 Ih 1; 

(K2). For every propositional variable p, it is not true that a Ih p and a lh~p; 
(K3). For every final element (f) of K and every propositional variable p, Ih p 
or (j) lh~p. 

The forcing relation is extended in a standard way to arbitrary formulas of 
C as follows: 

1. a \\- A A B iff a \\- A and a Ih P; 

2. a Ih A V P iff q; Ih A or a Ih P; 

3. a Ih A ^ P iff, for every (3 G P such that a < /3, /3 \\~ A implies /3 Ih P; 

4. a Ih DA iff, for every (p G Fin(a), cp Ih A; 

5. a lh~ (A A P) iff a lh~ A or a lh~P; 

6. a lh~ (A V P) iff a lh~ A and a lh~ P; 

7. a lh~ (A ^ P) iff a Ih A and a lh~ P; 

8. a lh~DA iff, for every (h G Fin(a), 6 lh~A; 

9. all A iff a Ih A. 

We write a Ih A to mean that a Ih A does not hold. It is easy to check that 
properties (Kl), (K2) and (K3) hold for arbitrary formulas as well. In this gen- 
eralized formulation, (Kl) is the usual monotonicity property of forcing relation, 
(K3) states that a final element (j> of behaves like a classical interpretation. 
Note that a classical interpretation X can be seen as a Kripke model having X 
as the only element and forcing relation defined in the obvious way. 

A formula A ^ ^ ^ K if and only if a Ih A for all elements 

a of K. As proved in [10], E coincides with the set of formulas valid in all Kripke 
models. 

3 The Tableau Calculus 

The major contribute of this paper is the definition of a tableau calculus Tab 
for E. As far as we know, no tableau calculus for this logic has been presented in 
the literature. The object language of the calculus is based on the signs T and 
F.A ,^ , (, for short) is an expression of the form TA or FA, where 

A is any formula; a T-formula is a sf with sign T, whereas an F-formula is a sf 
with sign F. The rules of Tab are in Tables 1-3. The meaning of the signs T 

and F is explained by the notion of , . , ' ■ Let K = (P, <, Ih) be a Kripke 

model, let a G P, let A be a formula and let S' be a set of sfs. We say that: 

— a t> TA (a , ^ A) iff a Ih A; 

— a>FAiffalhA; 

— a [> S iff, for every P[ G S, a[> H. 
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We say that S' is , . , iff there exists an element a of some model X 

such that a l> S. A ^ ^ ^ ^ is an expression of the form Si | ... | S„ where, 

for all i = 1, . . . , n, Si is a set of sfs. In the rules of the calculus, we denote with 
S,Hi,. . . , Hjn the set SU {i?i, . . . , Hm} and with St the set of T-formulas of S. 
Every rule is applied to a signed formula of a configuration Si | ... | S^ | . . . S„; 
e.g., the notation S, T(A A B) points out that the rule TA is applied to the 
formula T(A A B) of the set S U {T(A A B)}, where S is possibly empty; the 
schema 

Si I . . . I S, T(A A B) I . . . I S„ 

Si I ... I S,TA,TB I ... I Sn 

illustrates an application of the rule TA. In every rule we distinguish two parts: 
the , ^ , that is the configuration above the line, and the ^ ^ ^ > that 

is the configuration below the line. Differently from the calculi for logics with 

Table 1. 




strong negation presented in [1, 7], we are interested in a calculus oriented to an 
efficient implementation. First of all, we aim to avoid duplications, thus to treat 
T(A — > B) we need several rules according to the structure of A (see [4,16]). 
Moreover, to further reduce the depth of the proofs, the rules 

S,T((AVB) ^ C) S,T{{A^B)^C) 

S,T{A^ C),T{B ^ C) St,F{A^ B),T{B ^ C) \ S,TC 

of [4, 16] are rewritten as in Table 2, where the new propositional variable p 
avoids the repetition of C in the former rule and of B in the latter rule (see [6, 8]) . 
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Table 2. 




As already mentioned in the introduction, in some configurations we are allowed 
to apply to a set S the rules of a tableau calculus for Cl. To mark these sets, 
we use the notation [5']ci and we say that [S'Jci is a , ^ ^ ^ ; intuitively, the 

signs T and F occurring in [S'Jci have to be understood in a classical way (see 
the rules of Table 3) . 



Table 3. 



S,TDA 


S,FDA 




[St, TA]ci 


[St, T ~ A]ci 




S,T ~DA 


S,F ~OA 




[St, T ~ A]ci 


[St, TA]ci 




S,T(DA ^ B) 


S,T(~DA 


-B) T 


[St,T~A]ci I S,Tb'^ ° 


[St, TA]ci 


s,tb'^ 



A set S' of sfs is ^ ^ ^ . iff one of the following conditions holds: 

1. tags and FA G S; 

2. tags and T ~A G S; 

3. S is a classical set and S is not Cl-consistent. 
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It is immediate to prove that: 

Proposition 1. X = {P, <, Ih) . . ^ , ct G P ^ , S , 

, S' , 

, S 

A ^ ^ , ,, for a set S is a finite sequence of configurations Pi, , P„, where 

Pi is the set S and the configuration Pi+i is obtained from P; = Si | ... | Sm 
by applying a rule to a non-contradictory set S^. A ^ ^ ^ , , , is a proof 

table Pi, ... ,Pn where all the sets in the last configuration are contradictory. 
We point out that to check that a classical set is contradictory, we can use any 
classical tableau calculus (extended in a trivial way to the language £). Closed 
proof tables are the proofs of our calculus Tab. A set S is provable in Tab iff 
there exists a closed proof table for S; A ^ ^ ^ Tab iff there exists a 

closed proof table for {FA}. We remark that the rules of the calculus do not 
increase the number of F-formulas in a set. In particular, if the set in the first 
configuration of a proof table contains an F-formula at most, then every set 
occurring in the proof table contains an F-formula at most. Note that the rule 
F — > applied to a set S of this kind is invertible. On the other hand, the rules 
FVi and F ~ are non-invertible, but they capture the constructive meaning 
of disjunction and negation. 

Our aim is to exhibit an “efficient” sound and complete proof search strategy 
for closed proof tables of Tab. We begin by proving that Tab is sound for E. 
The main step consists in showing that the rules of Tab preserve realizability. 
It is easy to prove that: 

Lemma 1. K= (P, <, lb) , ct G P ^ , R , 

> > , S , ■ , , - ‘ ^2 , , , , . a >S, 

, /3 G P , - f G (1, 2} ^ a < /3 ^ . P t> Si , , Si 

From the above lemma we deduce that, if A does not belong to E, then no 
closed proof table for {FA} can exist. Indeed, let K = (P, <, Ih) be a model such 
that A is not valid in K and let us assume that there exists a closed proof table 
Pi, . . . , P„ for {FA}. Since K realizes {FA}, by the previous lemma I£ realizes a 
set S of P„, moreover if S' a classical set, then S is realized in a final element of 
This contradicts Proposition 1. It follows that A is not provable in Tab, hence: 

Theorem 1 (Soundness). , A ^ ^ ^ Tab ^ A , ^ E 

In the following sections we prove that every formula of E is provable in Tab 
(Completeness Theorem). 



a [> S . 



a 



K 



a [> S . 
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4 The Proof Search Strategy 

In this section we describe a procedure Tab which, given a set S of sfs, searches 
for a closed proof table for S. The main issue is to reduce backtracking in proof 
search. In our calculus the rules requiring backtracking are: 

FVi , F , T ^ □ , T , TD , T (i = 1,2) 

Since we consider sets of sfs having an F-formula at most, the rules F FD 
and F ~ □ are invertible, thus they do not require backtracking. Moreover, if 
St satisfies some properties (see Definition 1 in the next section), also the rules 
FVi, F ~Ai, TD and T are invertible, as proved in Lemma 2 (see [2] for a 
thorough discussion). 

To describe our procedure we introduce some classes Cj to identify sfs with 
the same behaviour: 

Cl = {FOA, F 

C2 = {T(4aB), F{A^B), T~(4vB), T~(4^B), T A,F A, 

T((4 T(~ (AaB)^C), T((4 V B) ^ C), 

T(~(4VB)^C), T(~(4^B) ^C), T( A^B)}; 

Cs = {F(AAB), T(AVB), T~(4AB), F~(4VB), F~(4^B)}; 

C 4 = { T{nA B), T(~ DA ^ B) }; 

C 5 = {T((4^S)^C)}; 

Ce = {F{AVB), F^{AAB)}; 

Cy = {TOT, T ~D4}. 

We describe a recursive procedure Tab(S', applyAll) that, given a set S of sfs 
containing at most an F-formula and a boolean value applyAll, returns either 
a closed proof table for S or NULL if S is realizable (hence, no closed proof table 
for S can exist). The role of applyAll will be clarified in the next section; here 
we only point out that, when applyAll is false, we do not apply any rule to 
signed formulas in S' n (C 4 U C 5 ) (see line 29 of the procedure). We assume to 
have a subroutine TabCL(S) that, given a set of sfs S, searches for a classical 
closed proof table for S. If a proof is found, TabCL(S) returns [S]ci, otherwise 
it returns NULL (this means that S is Cl-consistent). Let S be a set of sfs, let 
H € S and let Si or Si | S 2 the configuration obtained by applying to S the rule 
Rule{H) corresponding to H (when H e Ce, we write Rule\{H) or Rule 2 {H) 
to identify the rule). If Tabi and Ta &2 are closed proof tables for Si and S 2 
S S 

respectively, then Ruie(H) or Ruie(H) denotes the closed proof 

Tah Tabi \ Tab^ 

table for S defined in the obvious way. Moreover, TZi{H) {i = 1,2) denotes the 
set containing the sfs of Si which replace H. For instance: 

TZi{T{AaB)) = {TA,TB}; 

7^l(T(A V B)) = {TA} ; 7^2(T(A V B)) = {TB}; 

7^l(T((A ^B)^C))= { TA, Fp, T{B ^ p), T{p ^ C) }; 

7^2(T((A ^ B)^ C)) = {TC}. 
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The pseudocode for Tab is the following: 



Function Tab(S', applyAll ) 

1 if ( (TA,FA e S') OR (TA,T ~A e S) ) 

2 then return S; 

3 if(SnCi/0) 

4 then Let H be the F-formula of S; 

5 Tabi ^ TabCL(St U Ri(H))-, 

6 if {Tabi / NULL ) 

g 

7 then return Ruie(H): 

Tabi 

8 else return NULL ; 

9 if ( TA,T(A ^ B) e S ) 

10 then Ta&i ^ Tab((S\ T(A ^ B)) U {TB}, true); 

11 if (Tabi / NULL ) 

g 

12 then return t^; 

Tabi 

13 else return NULL ; 

14 if(snC2 7f0) 

15 then Let H G S CiC 2 ; 

16 Tabi ^ Tab((S\ {B}) U Til (B), true); 

17 if (Tabi NULL ) 

g 

18 then return Ruie(H): 

Tabi 

19 else return NULL ; 

20 if(SnC3 7f0) 

21 then Let B G S flCs; 

22 Tabi ^ Tab((S\ {B}) UBi(B), true); 

23 if (Tabi / NULL ) 

24 then Tuba ^ Tab((S\{B}) UB 2 (B), true); 

25 if (Tuba / NULL ) 



26 

27 

28 

29 

30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 



then return Ruie(H); 

Tabi I Tab2 

else return NULL ; 
else return NULL ; 
if ( applyAll AND (S Pi (C 4 UC 5 ) yf 0) ) 
then for (B G (S P (C 4 U C 5 )) 

do Taba ^ Tab((S\ {B}) UBa(B), true); 
if (Tuba = NULL ) 
then return NULL ; 



if (SPCs7f0) 



if (B G C 4 ) 

then Tabi ^ TabCL((St \ {B}) U Bi (B)); 
else Tabi ^ Tab((St \ {B}) UBi(B), true 
if (Tabi / NULL ) 

g 

then return Ruie(H); 

Tabi I Taba 



then Let B be the F-formula of S; 



Tabi ^ Tab(St UTZi(H), false); 
if (Tabi / NULL ) 




A Space Efficient Implementation of a Tableau Calculus 



497 



43 then return Ruiei(H): 

Tabi 

44 else Ta 62 ^ Tab(5't U 77 . 2 ( 77 ), false); 

45 if {Tab2 / NULL ) 

g 

46 then return RuieoiH): 

Tab2 

47 else return NULL ; 

48 if ( (S' n (C 4 U Cs) = 0) and (SnC 7 T^ 0 )) 

49 then Let 77 G S PlCr; 

50 Tabi ^TabCL((S\{77})u77i(77)); 

51 if {Tabi / NULL ) 

g 

52 then return RuieiH): 

Tabi 

53 else return NULL ; 

54 return NULL ; 

We remark that, when one of the if conditions at lines 1, 3, 9, 14, 20, 39 and 
48 is matched, the corresponding then instruction is executed and the procedure 
ends returning a value. This means that, independently of the choice of 77, no 
backtracking is needed. On the contrary, in the for instruction at line 30 it might 
be necessary to try the application of a rule to all the formulas 77 in Sn (C 4 UC 5 ) 
and possibly to continue in line 39. We emphasize that to implement FVj, F ~ Ai, 
TD and T ~ □ without backtracking, it is essential to apply these rules after 
having tried the application of all the other rules (see the proof of Proposition 2 
in the next section). 

I , , Let us consider the set of signed formulas 

S = { T((a ^ (6 ^ c)) ^ ad) , F(a V □((& ^ c) ^ d)) } 

To search for a closed proof table for S, we call Tab (S', true). 

(1) . Since T((a ^ (5 ^ c)) ^ Dd) G C 5 and applyAll is true, the condition 

in the if statement of line 29 is matched. This means that the procedure 
tries to apply T to S, therefore closed proof tables for the sets 

51 = {Ta, T((&^c)^p) , T(p^Dd) , Fp} 

5 2 = { TDd , F(a V n ((6 ^ c) ^ d)) } 
are searched. 

(2) . The call Tab (S 2 , true) of line 31 is executed in order to build a closed 

proof table for S 2 . 

(3) . The call Tab(Ss, false) of line 41 is executed, where S 3 = {TOd, Fa}, 

which corresponds to the application of FVi to S 2 . 

(4) . The application of TD to S 3 is tried by the call TABCL({Td|) (line 50). 

The NULL value is returned (indeed, Td is Cl-consistent) and also Tab(S 3 , 
false) fails (line 53 is executed and NULL is returned). 

(5) . The execution of Tab(S 2 , true) continues in line 44 with the computation 

of Tab(Si, false), where 

S 4 = {TDd , FD(( 6 ^ c) ^ d)| 



namely, FV2 is applied to S2. 
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(6) . The call TABCL({TD(i, T ~ ((6 ^ c) ^ d)}) of line 5 is executed (FD is 

applied to S'4) and a classical proof table is found. Thus, both the calls in 
(5) and (2) succeed and the closed proof table Tab2 is built as follows: 

Tad, F(aV □((6^ c) ^ d)) 

FV2 

Tad, FD((&^ c) ^ d) 

TD 

[TDd, T~(( 6 ^c) ^d)]ci 

(7) . Now, the computation of Tab(S', true) continues with the call Tab(S'i, 

true) (line 36) in order to build a closed proof table for 

(8) . The condition in the if statement of line 29 is matched, thus the for loop 

in line 30 is executed. This means that it is tried the application of the rule 
T — to Si for ,, the signed formulas of the kind T((i7i ^ H2) H3). 

We have signed formulas of this kind and it is easy to check that in 
both cases the search for a closed proof table fails. It follows that no closed 
proof table for can be built; nevertheless, Tab(S', true) does not fail, 
but the computation continues with the statements after line 38. 

(9) . The condition in the if statement of line 39 is satisfied, thus the computa- 

tion continues with the call Tab(5's, false) of line 41, where 

5s = {T{{a^{b^c))^ad) , Fa} 

(it corresponds to apply FVi to S'). The procedure immediately fails. As 
a matter of fact, the application of T is not tried since the value 

of applyAll is false, and no other if statement can be executed; hence, 
line 54 is executed and NULL is returned. 

(10) . The call TAB(Sg, false) of line 44, where 

Se = { T((a ^ (& ^ c)) ^ ad) , FD((5 ^ c) ^ d) } 

is executed (it corresponds to apply FV2 to S). 

(11) . Since the value of applyAll is false, the instructions inside the if statement 

of line 29 are not executed (namely, the application of T is not tried) , 
but the call TabCL(S 7) in line 5 is executed (FO is applied to Sq), where 

S7 = {T{{a^{b^c))^ad) , T-((&^c)^d)| 

The procedure succeeds in finding out a classical closed proof table for 
St, accordingly, both Tab (S' e, false) and Tab(S', true) succeed and the 
returned closed table for S is: 

T((a ^ (6 ^ c)) ^ ad) , F((a V □((& ^ c) ^ d))) 

T((a ^ (6 ^ c)) ^ Dd) , Fa{{b ^ c) ^ d) 

FD 

[T((a ^ (6 ^ c)) ^ Dd) , T ~ {{b ^ c) ^ d)]ci 



FV: 
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I , , Let us consider the set 

^ = {T((pV(?)Vr) , Fq} 

To build a closed proof table for S, we call Tab(S', true). Line 22 is ex- 
ecuted and Tab(S'i, true) is called, where = {T(p V q), Fg} (TV is ap- 
plied to S). Again, line 22 is executed and Tab(S' 2 , true) is called, where S2 = 
{Tp, Fg}. Now, no condition associated with the if statements is matched, hence 
Tab( 5'2, true) immediately fails (line 54 is executed and NULL is returned). This 
implies that Tab(S'i, true) and Tab( 5 , true) immediately fail (indeed, in both 
cases line 28 is executed and NULL is returned) and no proof table for S is found. 

To prove the termination of Tab and the Completeness Theorem we define 
the function dg as follows: 

— if Hs a literal, then dg{l) = 0; 

- dg(AAB) = dg(A) + dg(B)+2; 

~ dg(AVB) = dg(A) + dg(B)+3; 

— dg(A B) = dg(A) -|-dg(i3) -I- (number of implications occurring in A)-|-l; 

- dg(~A) = dg(A) -b 1; 

~ dg(DA) = dg(A); 

~ if S' is a set of sfs, we set dg(S) = ^g(iL). 

It is easy to check that, if S is a set of sfs and S' is obtained from S by an 
application of a rule of Tab, then dg(S') < dg(S) . Using this fact, it is immediate 
to prove that Tab always terminates. 

Along the lines of [6], it is possible to prove that the depth of every 
proof table of Tab is linearly bounded in the proved formula. This property 
implies the space efficiency of Tab (see the discussion in Section 6) . 

5 Completeness 

We prove that, when the call Tab(S', applyAll) returns NULL, S is realizable and 
we can actually build a countermodel for S (namely, a model A) = (F, <,p, lb) 
such that p\> S). To justify the lack of backtracking in rules FVj, F ~ Aj, TD 
and T ~ □ we introduce the notion of ^-realizability. 

Definition 1. ^ S't,, T,^ , , , , ^-realizable ^ 

St C {TZ \ I ^ , / } U C4 U C5 U C7 

,, T(/ ^ F) e St, I , ,.TI^St 
[ „ T{nA ^ B) e St^ , {St \ {T{DA B)}) U {T ~ A} 

,/t(~ DA ^ F) G Ft, , (Ft \ {T(~ DA ^ F)}) U {TA} , 

,, T((A ^ F) ^ C) G Ft, 

(Ft \ {T((A ^ F) ^ C)}) U {TA, Fp, T(F ^ p), T(p ^ C)}, p , 
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If St is ^-realizable and St H (C 4 U C 5 ) 7 ^ 0, then St is realizable as 

well. 

Using a semantical construction on Kripke models, in [2] it is proved that: 
Lemma 2. St . ^ , , 

0 St,F{A\/ B) , , St,FA ^ ^ St,FB , 

( ) ST,Fr^{AhB)^ , S'r,F . S't,F 

Moreover, if Hs a literal and Tl ^ St, then: 

() St, FI ^ St , Cl 

We say that the call Tab(S', applyAll) is ^ ^ ^ . iff applyAll is true or St is 
— >-realizable. 

Proposition 2. S' , , , , F , , , , , 

Tab(S, applyAll) . - >> t - t , , Tab (S, applyAll) ^ ^ 

null , , " K= (P,<,p,\^) , pt>‘s 

^ ^ , Let us assume, by induction hypothesis, that the proposition holds for 
all sets S' such that dg(S') < dg(S). We prove that the proposition holds for S 
by inspecting all the possible cases where the procedure returns the NULL value. 
We show some significant cases (the whole proof is in [2]). 

Let us assume, for instance, that, at line 31, the call TAB(S",true) has been 
executed, with S' = (S'\ {T(DA ^ B)}) U {TB}. By induction hypothesis there 
exists a Kripke model K = (P, <, p, Ih) such that p O S', hence p\> S. 

If none of the conditions at lines 1, 3, 9, 14, 20 and 29 holds, we claim 
that St is ^-realizable. Indeed, if the second parameter of the function is false, 
this follows by the hypothesis of the proposition. Otherwise, using the induction 
hypothesis, one can easily check that St satisfies the definition of ^-realizability. 
In particular, the realizability of {St \ {H}) U TZi{H), for H € C 4 U C 5 , follows 
by the fact that the procedure has not terminated inside the for instruction at 
line 30, since the value of Tabi is NULL. 

Suppose that S' = S't U {F(AV B)} and let Sa = St'S {FA}, Sb = StS {FP|. 
Then, both the call TAB(Syi, false) and Tab(Sb, false) have returned the 
NULL value. Note that both calls are sound (indeed, {Sa)t = {Sb)t = St and 
St is ^-realizable) thus, by induction hypothesis, both St, FA and St,FB are 
realizable. By Lemma 2(i), S is realizable. The case S = St U (F ~ (A A P)| is 
similar. □ 

By the above proposition, it immediately follows the Completeness Theorem. 

Theorem 2 (Completeness). , A , ^ E ^ Tab({FA|, true) 

fa 

As a consequence of the above theorem, we have a trivial proof of properties 
(cf), (dp) and (ct) of E stated in Section 2 
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6 Implementation of the Decision Procedure 

We have implemented a decision procedure based on Tab and TabCL. The 
implementation uses the signs T,F,Tc and Fc- The signs T and F are used 
as in Tab. When the procedure TabCL is called, the signs of the formulas are 
turned into Tc (classical truth) and Fc (classical falsity) . To treat formulas with 
signs Tc and Fc rules of a classical tableau calculus are used. Since the rules for 
Classical logic are invertible backtracking is not required. To reduce the number 
of nodes in the classical tableau the rules having one set in the conclusion are 
applied first. Since signed formulas TH and Tci^, where H is an axiom of Cl, 
are not needed to close a proof table, they are deleted any time they appear in 
a configuration. Whenever a rule is applied, the condition in Line 1 is checked 
as follows. If the rule related to H is applied to “{S\ {H}),H” , the consistence 
of the resulting set Si is checked considering every formula in TZi(H): every 
T-formula in TZi{H) is checked against the F-formula and the T-formulas of 
Si \ TZi{H). If TZi{H) contains the F-formula, then it is checked against the T- 
formulas of Si \ TZi{H). The implementation proceeds in a similar way for the 
signs Tc and Fc. 

Tab is implemented as an iterative procedure. The implementation uses a 
stack to take into account two different levels of backtracking. The former level of 
backtracking, related to the for statement in line 30, is used to explore the search 
space of the proof table. The latter level of backtracking, related to lines 24 and 
36, is used to visit with a depth-first strategy a single proof table to determine 
if it is closed. The stack has, at most, as many elements as the longest branch of 
the deepest proof table in the search space. Every element of the stack contains 
the sets of formulas of the nodes in the branch the procedure is visiting and two 
integers denoting, respectively, which formula of the set has been used to get the 
subsequent set and if the right subtree of the node has already been visited. By 
Remark 1, the stack has a number of elements linearly bounded in the length 
of the formula to be proved. Moreover, the number of symbols in each node of 
every proof table is linearly bounded in the length of the formula to be proved. 
Thus, the implementation is 0(n^)-SPACE. Finally, the iteration in line 30 is 
implemented to apply the rules of C 4 first, since the first set in the conclusion 
gives rise to a classical set of formulas. 



7 Conclusion and Future Work 

We have provided a tableau calculus for the logic E and the related decision 
procedure that minimizes the backtracking. The implementation has been de- 
veloped in C-|— I- language. ^ Since we are interested in using the logic E in the 
field of timing analysis, we plan to extend our program in order to extract timing 
information from proofs of E, to implement the algorithms described in [5]. 



® The program is available at http : //www. dimequant .unimib . it/elogic/ index.html. 
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Abstract. We show how to automatically generate analytic hyperse- 
quent calculi for a large class of logics containing the linearity axiom 
(lin) (A 3 _B) V (B D A) starting from existing (single-conclusion) 
cut-free sequent calculi for the corresponding logics without {lin). As 
a corollary, we define an analytic calculus for Strict Monoidal T-norm 
based Logic SMTL. 



1 Introduction 

A central task of logic in computer science is to provide , _ , 

of suitable ^ , , for a wide range of non-classical logics. By analytic 

calculi we mean calculi in which the proof search proceeds by step-wise decompo- 
sition of the formula to be proved. The most famous examples of such calculi are 
the Gentzen sequent calculus LK and its single-conclusion version LJ for classi- 
cal and intuitionistic logic respectively. Cut-free “Gentzen-style” calculi serve as 
a basis for automated deduction, and allow the extraction of important implicit 
information from proofs such as numerical bounds and programs in proof-style. 

The presence of the linearity axiom {lin) {A D B) \/ {B D A) in the Hilbert- 
style axiomatization of a logic ensures a total ordering among the elements of 
its intended models (e.g., Kripke structures, truth- value interpretations). Several 
logics have been defined adding {lin) to well known systems. E.g., all fuzzy logics 
based on t-norm^ connectives [12] - a prominent example being Godel logic^ 
[11,8,19] which arises by extending intuitionistic logic IL with {lin). Weaker 
logics such as Monoidal T-norm based Logic MTL [9] - the logical counterpart of 
left continuous t-norms and their residua - or both versions of Urquhart’s C [21], 
have also been defined adding {lin) to suitable contraction-free versions of IL. 

In this paper we show how to automatically generate analytic Gentzen style 
calculi for a large class of logics containing {lin) . To this end we consider a natural 
generalization of sequent calculi: hypersequent calculi. Hypersequent calculi arise 



* Work Supported by C. Biihler-Habilitations-Stipendium H191-N04, from the Aus- 
trian Science Fund (FWF). 

^ T-norms are the main tool in fnzzy logic to combine vagne information. 

^ Godel logic is also known as Dummett’s LC [8] or Intuitionistic Fuzzy Logic [19]. 
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by extending Gentzen calculi to refer to whole contexts of sequents instead of 
single sequents. They are particularly suitable for dealing with logics including 
(lin). Indeed, as shown by Avron in [2], this axiom can be enforced in LJ, once 
one embeds sequents into hypersequents and adds suitable rules to manipulate 
the additional layer of structure. In particular, the crucial rule added to LJ is 
the communication rule (com). This design resulted in an analytic calculus for 
Godel logic. The same methodology was used e.g. in [6,5] to introduce analytic 
hypersequent calculi for some basic fuzzy logics, including MTL and Urquhart’s 
C, arising by adding (lin) to suitable contraction-free versions of IL. 

Here we generalize these results showing that (com) can be viewed, in fact, 
as a ^ ^ , that translates (single-conclusion) cut-free sequent calculi 

for a , , ^ - logics that do not satisfy (lin) into cut-free hypersequent 

calculi for the corresponding logics with (lin). This will give us the means to 
derive systematically analytic deduction methods for logics whose Hilbert-style 
axiomatizations contain (lin), starting from existing analytic calculi for the cor- 
responding logics without (lin). To do this, 

~ we first introduce a general cut-elimination method for sequent calculi ( 

, . ^ , , , ) that can be easily transferred to the hyperse- 

quent level. Sufficient conditions a calculus has to satisfy in order to ad- 
mit cut-elimination by substitution are also provided. Among other things, 
these conditions render our cut-elimination procedure easier to verify than 
“ad hoc” procedures. (The verification of ^ ^ . cut-elimination pro- 

cedures for hypersequent calculi has been shown to be problematic in the 
literature.) 

— We characterize logics admit this transfer principle, providing some 

general conditions (on their sequent calculi/Hilbert-style systems) they have 
to satisfy both at the propositional and at the first-order level. 

— As an easy corollary of the transfer principle we define an analytic hyperse- 
quent calculus for Strict Monoidal T-norm based Logic SMTL [9] - the logic 
of left-continuous t-norms satisfying the pseudo-complementation property. 

2 Sequent and Hypersequent Calculi 

The aim of this section is to settle the (hyper)sequent calculi we will deal with. 
We start by recalling some basic definitions in order to fix the notation and 
terminology we shall use throughout the paper. 

The sequent calculus was introduced by Gentzen [10] in 1934 (see [18] or [20] 
for a detailed overview). Gentzen sequents are expressions of the form F ^ A 
where F and A are finite sequences of formulas, respectively called the antecedent 
and succedent of the sequent. If in a sequent calculus, succedents of all sequents 
contain at most one formula, the calculus is said to be ^ ^ ^ ^ ^ ■ 

In general, in a sequent calculus there are ' , , , (or initial sequents) and 
inference , ^ . The latter are divided into structural rules, logical rules and cut. 

In each logical rule, the introduced formula and the corresponding auxiliary 
formula(s) are called ^ ^ ^ , , ( J, respectively. We 
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will refer to the remaining formulas in logical rules as well as to the formulas 
that remain unchanged in structural rules as (internal) ^ ^ ^ . 

We call - - a multi-premises rule whose contexts in its premises are the 
same. If those contexts are different and simply merged in the conclusion, the 
rule is said to be , , , 

Recall that the structural rules introduced by Gentzen are exchange, weak- 
ening and contraction, with single-conclusion versions: 



r, B, A,r' 
r, A, B,r' 



r,A,A^C 



(c) 



r^c 



(w,l) 



r^c 



(w,r) 



As is well known, their presence or absence determines completely different 
systems. For instance, a sequent formulation ScFLeu, for Full Lambek calculus 
with exchange and weakenings^ FLem is obtained by eliminating (c) from the 
LJ sequent calculus for IL see [13]. This entails the splitting of the connective 
“and” of IL, into (the additive version) A and (the multiplicative version) ©. 

Further structural rules can be defined. Here below are some examples of 
weaker forms of contraction i.e. ^ ^ ^ ^ and ^ ^ ^ ^ ^ : 



r,A,A=> 



(wc) 



r,A'^ 

r,A”-^ ^ c 



(nc) 



where A^ stands for A, . . . , A, k times. 

A . ^ ^ in a sequent calculus is a labelled finite tree with a single root 

(called ^ ^ ^ ), with axioms at the top nodes, and each node-label con- 

nected with the label of the (immediate) successor nodes (if any) according to 
one of the rules. We refer to those connections as (correct) ^ ^ ^ . 

Definition 1. , ' , , , , i > i i '' i , ' , , i i , > > > stan- 

dard ^ ' 

> ( )) 

( ) V./ , - ' 

c; , 

() , - 



_L 



c , 



r ^ A A,r' ^ c 
r,r' 



(cut) 



® FLeu, also coincides with the exponential-free fragment of affine Intuitionistic Linear 
Logic ILL, i.e. ILL with weakenings. 
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Definition 2. >>, i - - , , ' ' , , , i i ' > , -i , 

, , . , L3,,,IL first-order standard sequent calculus 

Henceforth we will only consider (first-order) standard sequent calculi. 
Hypersequent calculi were introduced in [1] and [14]. They are a natural 
generalization of Gentzen sequent calculi. 

Definition 3. hypersequent ^ ^ Ti 77i | . . . | 

,, i = ■ -n, Fi ^ Ui ^ ^ ^ ^ ^ Fi ^ Ili ^ _ compo- 
nent ^ , r ^ ^ ^ I ,>> - single-conclusion , ^ ^ ^ 



The symbol “|” is intended to denote disjunction at the meta-level. 

Like ordinary sequent calculi, hypersequent calculi consist of initial hyper- 
sequents (i.e., axioms) as well as logical, structural rules and cut. Axioms, log- 
ical rules and cut are essentially the same as in sequent calculi. The only dif- 
ference is the presence of a ^ ^ ^ , denoted by G, representing a 

(possibly empty) hypersequent. E.g. the hypersequent version of the LJ rules 
(D, r), (V, r)i _2 and (V,Z) are"* respectively: 

G\r,A^B ^ ^ G\F^Ai ^ ^ G\r,A^G G\F,B^G ^ 

G I Ai G|r,AvB^G ^ 



Structural rules are divided into ^ ^ , and i ^ ^ . The internal 

structural rules deal with formulas within components. They are the same as in 
ordinary sequent calculi. The external structural rules manipulate whole compo- 
nents of a hypersequent. Examples of this kind of rules are external weakening 
(ew) and external contraction (ec): 



G 

G\ A 



(ew) 



G I A I F^A 



(ec) 



Let Sc be any sequent calculus. We refer to its . ^ ^ ^ ^ ^ HSc 

as the calculus containing axioms and rules of Sc augmented with side hyperse- 
quents and in addition (ew) and (ec). (Note that HSc has the same expressive 
power as Sc.) However, in hypersequent calculi it is possible to define . . ^ ^ , 

I I / I >> I which simultaneously act on several components of one 

or more hypersequents. It is this type of rule which increases the expressive 
power of hypersequent calculi compared to ordinary sequent calculi. A remark- 
able example of this kind of rules is Avron’s communication rule [2]: 



G|r,r'^A G|ri,r(^A' 

G I r, A ^ A I r', F[ =» A' 



(com) 



Adding this rule to HLJ yields an analytic calculus for Godel logic [11]. 



^ We will use the same notation both for sequent and hypersequent rules. However, 
the context will always provide the relevant information. 
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The hypersequent version of the quantifier rules we will consider are: 



G I A{t),r^ B 
G I {\/x)A{x), r ^ B 



(v,0 



G I r ^ A{a) 
G\r^ {\/x)A{x) 



G I A{a),r^ B 
G I {3x)A{x), r ^ B 



G\r^ A{t) 

G I r => (3x)A{x) 



where the eigenvariable condition in (3,1) and (V, r) has to apply to the whole 
hypersequent conclusion of the rule, i.e., the free variable a must not occur in the 
lower , ^ . Indeed, in hypersequent calculi with (com), if one requires 

the weaker condition that a must not occur (only) in the lower , then 

3xF(x) \/xF(x) turns out to be derivable. 



Definition 4. 






> J ( 



) standard hypersequent calculus 



Let HS be any sequent or hypersequent calculus. In the following we write 
d, S' Lhs S' if d is a derivation in HS of the (hyper)sequent S from the assump- 
tion S' , i.e. a labelled tree whose nodes are applications of rules of HS and whose 



leaves are either S' or axioms. 






Definition 5. length [dj 


d , HS , 


r . ' 


; + , - , , , ' 


■ d 


complexity \A\ ^ , 








cut-rank p(d) ^ , d ^ ( 
+ (p(d) = 0 , d ^ , ) 







3 Cut-Elimination by Substitutions 

Cut-elimination is one of the most important procedures in logic. The removal of 
cuts corresponds to the elimination of “lemmas” from derivations. This renders 
a derivation ^ ,, , in the sense that all formulas occurring in the derivation 

are subformulae of the formula to be proved. 

Here we prove that if a standard (first-order) sequent calculus Sc admits cut- 
elimination, HSc -|- (com) i.e. its hypersequent version with in addition (com), 
admits cut-elimination too. For this purpose, we introduce a cut-elimination 
method for sequent calculi ( , , ^ easily 

transferred to the hypersequent level (and in particular to the corresponding 
hypersequent calculi with (com)). 

We start discussing which of, and how, the main cut-elimination methods 
for sequent calculi can be used in hypersequent context. Recall that Gentzen’s 
cut-elimination method proceeds by eliminating a , ^ ^ in a derivation 
by a double induction on the complexity c of the cut formula (-1-1) and on the 
sum I of the lengths of its left and right derivations. In his original proof of 
the cut-elimination theorem for sequent calculus [10], Gentzen met the following 
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problem: If the cut formula is derived by (c), the permutation of cut with (c) 
does not necessarily move the cut higher up in the derivation. To solve this 
problem, he introduced the mix rule - a derivable generalization of cut. 

In hypersequent calculi a similar problem arises when one tries to permute cut 
with (ec). (Note that the solution proposed in [6], i.e., to proceed by induction on 
(#(ec), c, 1) where #(ec) is the number of applications of (ec) in a derivation, does 
not work.) In analogy with Gentzen’s solution, a way to overcome the problem 
due to (ec) is to introduce suitable “ad hoc” (derivable) generalizations of the 
mix rule for each hypersequent calculus. These rules should allow certain cuts to 
be reduced ^ E.g. to prove cut-elimination in the hypersequent calculus 

for propositional Godel logic, Avron used the following induction hypothesis [2] 
(generalized mix rule): 

li H \ A\...\r„^ A and i? I 271, ^ I . . . I Tfe, ^ Bfe are 

cut-free provable, so is i/ | F, Si ^ Bi \ . . , \ F, Sk ^ Bk, where F = Ti, . . . , r„ 
and A"' stands for A, ... , A, m times. 

However, this generalized mix rule does not work for calculi not admitting, 
e.g., (c) or (w). (Note that to shift upward a cut in which a component Fi A, 
with i G {1, ■ • ■ ,n}, is derived by (ec) or (ew), one needs to use rules (c) and 
(w), respectively). 

A different cut-elimination method for sequent calculus was introduced by 
Schiitte-Tait [15,17]. This proceeds by eliminating a, , ^ in a deriva- 
tion (w.r.t. the number of connectives and quantifiers). The main feature of 
this method is that a cut with a non-atomic cut formula is not shifted upward 
but simply reduced (i.e., replaced by smaller cuts) using the inversion(s) of the 
premises of the original cut (see, e.g. [16]). This renders the presence of (ec) 
unproblematic once one uses this method in hypersequent calculi. Proofs of cut- 
elimination a la Schiitte-Tait for the hypersequent calculi for (first-order) Godel 
logic and MTL can be found, e.g., in [3, 5]. There in fact to eliminate a cut with 
a non-atomic cut formula only ^ ^ premise of this cut is inverted and used to 
replace the cut by smaller ones exactly in the place (s) in which the cut formula 
(of the remaining premise of the cut) is introduced. 

However, cut-elimination a la Schiitte-Tait cannot be straightforwardly trans- 
ferred from a sequent to the corresponding hypersequent calculus. Moreover, de- 
manding the invertibility (even) of (only) one of the premises of cuts seems to be 
a rather strong condition. Indeed, there do exist (hyper)sequent calculi in which 
cuts are eliminable but in which none of the premises of a cut is invertible. An 
example of such a calculus is obtained by replacing the right rule introducing A 
in the ScFLe«, calculus for FLe™ by the following rules: 



r => Ai F' , Ai => A2 
r, r' ^ Ai A A2 



(A,r)i 



F => A2 F' , A2 => Ai 

r, r' ^ Ai A A2 



(A,r )2 



This calculus admits cut-elimination (e.g., using Gentzen’s method, see [5]) 
but neither of the premises of a cut with cut formula A A B can be inverted in 
the usual way. 
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In the proof of Theorem 1 below, we introduce , , ^ ^ ^ ^ ^ ^ 

^ ^ ^ . This proceeds by eliminating ^ ^ ^ cut in a derivation. The 

idea behind this method is to eliminate a cut via suitable substitutions in the 
derivations do bsc S ^ A and di hsc F, A ^ C of its premises. We substitute 
all the occurrences of the cut formula. When we do this we have also to replace 
all the subproofs of do and di ending in an inference whose principal formula is 
an occurrence of the cut-formula. This requires us to trace up the occurrences 
of the cut formula through do and di . For this purpose we use below the notion 
of - , 1 ( ' \ i - 11 ^- essentially 

amounts to the (marked) derivation obtained by following up and marking in d 
all occurrences of the considered formula A starting from the end sequent of d: 
if at some stage any marked occurrence of A -indicated by A*- is multiplied by 
a certain (internal or external) structural rule we mark and trace up all these 
occurrences of the formula from the premise(s). In outline, two cases can occur. 

— If the cut formula (A*) was not introduced by ^ ^ logical (or quantifier) rule 
in do (respectively di), the cut is replaced by the derivation do (respectively 
di) in which one substitutes all A* by F and C (respectively A") (*). 

— Suppose A* was introduced by some logical (or quantifier) rules in do and 
di. The required derivation is obtained from do and di by replacing all A*s 
via suitable substitutions (*), and replacing the inferences which introduced 
A* with suitable cuts on subformulas of A (**). 

The applicability of cut elimination by substitutions relies on the fact that 
the considered (standard) sequent calculus satisfies (**) and (*), namely, its rules 
allow the replacement of cuts by smaller ones (i.e. logical and quantifier rules are 
) and they lead to correct inferences once one uniformly replaces any 
formula in their premises and (some occurrences of this formula in their) conclu- 
sions by multisets of formulas (i.e., rules are ^ ^ ). The latter condition 

can be equivalently expressed as: the rules allow any cut to be shifted upward 
replacing the cut formula in their premises by the contexts of the remaining 
premise of the cut. 

Before introducing the formal definition of reductive and substitutive rules 
let us consider the following explanatory example: 

I , , The contraction rule (c) is substitutive. Indeed the sequents ob- 

tained by replacing any formula X G F (or by replacing A) with a multiset S 
in its conclusion, can be derived by applying (c) to the sequent F, A, A C 
after having replaced X G F (or the two occurrences of A) with S. Moreover, 
the sequent F,A,S D, obtained by substituting C in the conclusion of (c) 
with X and D, can be derived by applying (c) to F^ A, A ^ C in which one 
carries out the same substitution. By contrast, the n-contraction rule (nc) is not 
substitutive. Indeed e.g. the sequent T, E ^ C, obtained by substituting 
one occurrence of A with E in its conclusion cannot be derived by applying (nc) 
to F, T” ^ C. 

Definition 6. HS ), , > > i 




510 



A. Ciabattoni 



, C,' > , , ) ' , {(*; Ol) • ■ • > (*J ^)n} , - {(*jOi> 

l)m} . - ' ( ) * reductive 

, ‘ , / !, 

i*J)i , - i*,r)j ^ ^ j = l,...m) , . _ _ , , , 

, _ , , , , , , HS , , HS , ("n > 1 

, - Cy^C')‘ ‘ ‘ 

{G \ n ^ C[ \ )n ^ Cl {G\n^c^\ )r„ ^ c„ 

{G \ r' => c' \ )r c ^ ^ 



- ^ , substitutive 
, H (, I 

r r' 



> , ( ), , r( r; , - 



‘ , ,‘hs, , , ‘ ■ \ ,AR) ' ^ 

' , ' ' , , Ri‘ r' (z=l,...‘nj 

. c ( ^ C) ^ ^ , ( )^ (, 

I {G\r' \ )s,r^D ( ,, {G\r',s^D)\r^ 

c)‘., s , - D ^ ^ ‘ ^ r - , . . , 

, HS, ,, (i?) r^>\s ^ D ^ ^ 

rP^G\\ ‘ ‘ ' c[Ac ( ^ , g[Ag')‘ 



Let d{s) and H{s) denote the results of substituting the term s for all free 
occurrences of x in the derivation d{x) and in the (hyper)sequent H(x). 

Lemma 1 (Substitution Lemma). HS . ^ , 

I , . . d{x)^iis H{x), ^ d(s) bns -ff(s), |d(s)| = |d(a:)| 

- p{d{s)) = p{d{x)), ^ , II 'I -I I I I I 

Using the above lemma one can show 



Lemma 2. ( ' )i 



, , (V,<) , _ (3,<), < G {/,r}, 

- (' )i I >> I 



Theorem 1. , - - ( - ) ^ / Sc ( ) , ' , 

- ‘ ‘ i‘ () /i ‘ I - ‘ ' 

^ ^ , Let d hsc S, with p{d) > 0. The proof proceeds by induction on the 
pair (p{d),^p{d)), where #p{d) is the number of cuts in d with cut-rank p{d). 
Suppose p{d) = |T| + 1 and let 

do bsc U A and di hsc r, A ^ G 

be the premises of the uppermost cut in d with cut-formula A. We can find 
a derivation d' hsc r,S ^ G with p{d') < p{d). Hence, replacing in d the 
subderivation ending in this largest uppermost cut by d' , results in a derivation 
d such that either p{d) < p{d) or #p{d) = #p{d) — 1. Two cases can occur: 
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1 . The cut-formula A is not introduced by any logical (or quantifier) inference 
in do or di. Assume first that this is the case in di. We consider the decoration 
of A in di starting from di hsc A, A* C. We then substitute A* everywhere 
in d\ by S. Let us call d\ the obtained labelled tree. Since A is not introduced 
by any logical (or quantifier) inference in di and Sc is a (first-order) standard 
sequent calculus whose rules are substitutive, all the inferences in d^ are correct 
(upon adding some structural inferences, if needed). Note that if A* originates 
in an axiom A* A, this is transformed into S ^ A. Hence d\ is a derivation 
in Sc and either d*, A A hsc ^ C or d\ hsc T, A C. A derivation 
d' hsc r, E ^ C with p{d') < p{d) is thus obtained by replacing do and d\ in 
d by (the juxtaposition of do and) d*. The case where A is not introduced by 
any logical (or quantifier) inference in do is symmetric. Here we consider the 
decoration of A in do starting from dp bsc E ^ A* and we substitute in do each 
sequent of the form II ^ A* with II,r ^ C possibly adding suitable structural 
inferences, if needed. The rest of the proof proceeds (similarly) as above. 

2. The cut-formula A is introduced by logical (or quantifier) inferences both 

in do and di. Let us consider the decoration of A in do and di starting from 
do bsc E ^ A* and di bsc F,A*^C respectively. Suppose A = *(Ai, . . . Ap), 
where * is any connective, or A = \/xB{x). Let Ei A*, . . . , A* and 

A, A* Cl . . . Fm, A* Cm be the conclusions of the logical (or V) inferences 
introducing A* in do and di . We first replace A* with E\ everywhere in di . Note 
that the resulting tree is not a derivation anymore. However, since the rules of 
(first-order) Sc are substitutive, all the inferences - except those that introduced 
A* in di - are correct (upon adding some structural inferences, if needed). These 
incorrect inferences have the following form (assume w.l.o.g. that (*, I) is a one- 
premise rule) 



;d'i 

ri,Ai,...At^ B[ 

(*.i) 

Fi, El Bi 

We replace them by cut(s) with d[ bsc F[, Ai, . ■ ■ At => B[ and the premise(s) 
of the inference rule introducing A* in do, with conclusion E\ A*, (previously 
applying the Substitution Lemma and), adding some structural inferences, if 
needed. We call the resulting tree dj^ . Note that if di also contains axioms A* 

A, these are transformed into sequents Ai A in d*^ . These are simply replaced 
by the subderivation of do ending in Ei A. Since the rules of Sc are reductive, 
di is a derivation in Sc. Moreover, it is easy to check that di bsc F, Ei C. 
Similarly, we can obtain derivations dj^, • ■ . d\^ oi F,E 2 C, . . . F, E„ C, 
with p(d*J < p(d), for t = 1, . . . , n. This is not yet what we were looking for. Let 
us substitute in (the decorated version of) do each sequent of the form 77 A* 
with n,F C, possibly adding suitable structural inferences, if needed. (If do 
also contains axioms A A*, these are replaced by the derivation di). As before, 
the resulting tree is not a derivation anymore and the only incorrect inferences 
are those which introduced A* that now have the form (assume w.l.o.g. that 
(★, r) is a one-premise rule) 




512 



A. Ciabattoni 



S'i => Ak 
(*,r) 

Si,r^c 

To correct these inferences we replace the whole subtree ending in Si, F C 
with the derivation dj. obtained before. Iterating this procedure for all the n 
inferences introducing A* in do, leads to the required derivation d' hsc T, if B 
with p(d') < p{d). 

li A = 3xB(x), the proof proceeds as above exchanging, however, the role of 
do and di. This way, one can replace the incorrect (3, r) inferences by introducing 
(3xB{x))* with a cut from their premises and the premises of the (3, 1) inferences 
introducing (3xB{x))* in di, previously applying the Substitution Lemma to the 
latter. 

Cut-elimination by substitutions can be easily used in hypersequent cal- 
culi. First note that (ew) and (ec) are substitutive in any hypersequent cal- 
culus. 

Theorem 2 . , ( ^ , , , HL ( ) 

O' ,, , 6 

^ ^ , Let d Fhl H, with p(d) = |A| -|- 1 and let do Fhl G \ S ^ A and 
d\ 1"hl G \ F,A ^ C he the premises of the uppermost cut in d with cut- 
formula A. We show that we can find a derivation d' Fhl G \ F,S ^ C with 
p(d') < p{d). The proof proceeds by induction on {p{d),^p{d)). We sketch below 
the (few) additional steps - w.r.t. those outlined in the proof of Theorem 1 - 
needed to cope with side hypersequents. 

1 . The cut-formula A is not introduced by any logical (or quantifier) inference 
in do or di. Assume w.l.o.g. that this is the case in di. We first add G to all the 
hypersequents in d\ and for each newly generated hypersequent G \ B ^ B or 
G I T (if any), we add an application of (ew) to recover the original axiom 
B ^ B or S ^ of di- The remaining steps are as in the proof of Theorem 1. 
The required derivation is finally obtained by applying (ec) to d^. 

2. The cut-formula A is introduced by logical (or quantifier) inferences both 
in do and di. Let G\ \ Ei ^ A*,...,Gn \ Sn A* (and idi | Fi,A* 
G\...F[ra I Fm,A* Cm) be the conclusions of the logical (or quanti- 
fier) inferences introducing A* in do and di, respectively. Assume, w.l.o.g., 
A = *(Ai,...Ap) or A = VxB(x). We first add Gi to all the hypersequents 
in di and we add applications of (ew) to recover the original axioms of d\, if 
needed. Following the same steps as in the proof of Theorem 1, we obtain the 
derivations d\. Fhl Gi \ G \ F,Si C, for t = 1, . . . , n. We now first add G 
to all the hypersequents in do and we then proceed as in the proof of Theorem 
1. This leads to d" Fhl G\G\F,S^B. The required derivation is finally 
obtained by applying (ec) to d". 



() 

() 



Corollary 1. 



Sc 



HSc -b (com) 
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^ ^ , It is easy to verify that HSc with in addition (com) satisfies conditions 
(a) and (b) too. The claim follows by Theorem 2. 



4 Transfer Principle 

Let Sc be a (first-order) standard sequent calculus that admits cut-elimination 
by substitutions. Here we show that if Sc (or, equivalently, the formalized logic 
L) is “expressive enough”, then HSc -|- (com) is an analytic calculus for L-|- 
axiom schemata {A D B) V {B D A) (-I-, in the first-order case, 'ix{P{x) V Q) D 
(VxP(a;) V Q), where x does not occur free in Q). 

Henceforth we assume logics to be specified by Hilbert-style systems. A logic 
L is identified with the set of its provable formulas. By a first-order logic L we 
mean a Hilbert system whose rules are . , - , , , , , , .• , , 

whose axioms for quantifiers are those of first-order intuitionistic logic. 

In order to interpret (hyper)sequents into the language of the considered 
logics, we assume these contain a disjunction connective V, an implication D 
and the constant T. Since sequents (respectively hypersequents) are multisets 
of formulas (respectively sequents), we assume V is commutative and D satisfies 
exchange (i.e. (A D (5 D C)) D {B D (A D C))). Moreover, T D A belongs to 
the provable formulas. 

Definition 7. Ai, . . . , A„ H ^ ^ ^ generic interpretation X ^ 



X(^ B) := B 

X(Ai, . . . , A„ ^ H) := (Ai D . . . D (A„ D 5) . . .) 

X(Ai, . . . , A„ ^) := (Ai D . . . D (A„ D T) . . .) 

G > ^ , S'! I • • • I -Sn , , generic interpretation 1{G) 

. , . , X(^i)V...VX(5„). 



Definition 8. 



( ' ), 






Sn 



(r) 



n > 1 



sound , ^ 



(r) strongly sound , 

lU))--') (' ), ‘ 

L - 

L HL ,, . complete 



, . L, , 

L , L 

. . , HL 

, , HL 

HL 



L 

. l(Si)D (..‘(l(si)D 

,, . sound ( ^ strongly sound J 
. f strongly sound J , 

' / , 4 ' , L, 



Lemma 3. Sc 

(V,r)i,2. (V,0 , 



LJ . , (A,r), 



r^A r',B^c 
r,r',AD B ^ c 



OA) 
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{Ad b)d {{b d C) d (A d C)) g l 

Ad (GV A) G L 

, A D i? G L ^ (i? V A) D (iJ V B) G L, 

(A V A) D A G l' 

,Agl, bgl ^Adxv-Bdxgl, ^xgl 
, AdBgL , _‘gdL>gL , (A V G) D V £1) G L, 

, {Ad B)\J H & ^ _ A G L, ' ^ i? V i/ G L, 

,Av£gL AdXgL, , XV£gL, 

. . Ad {B DC) & ~L, Ay HByH &~L, , G V i? G L 

, Ai D (A 2 D . . . {An D £) . . .)) G L , - A- V i? G L, i = 1, . . . n, 

BVH G L 

, 3. By Property 2, B D {H V B) G L, hence by Property 1 and modus 
ponens, A D {H V B) G L. Since H D {H V £) G L, follows that {H V A) D 
{Hy B)€ L. 

5. From A G L and i? G L follows {A D X y B D X) D X G h. The claim 
follows by modus ponens. 

7. From A G L we get [(A D B)y H]d By H. The claim follows by modus 
ponens. 

9. By Property 3, {B D C) D [{B V i7) D (G V H)] G L. By Property 1 and 
modus ponens follows A D [{B V i7) D (G V H)] G L. By Property 3 and modus 
ponens we get {Ay H) D [{B V i7) D (G V i7) V i7] G L. By modus ponens we 
obtain \{B V H) D (G V H)] V H and by Property 7 (G V H) V 77 G L. The claim 
follows since \{C V 77) V 77] D (G V 77) G L. 

10. Follows by repetedely applying Properties 3, 7 and 9. 

Theorem 3. Sc , , , , > > , , > , (^a)j 

(D,0, (V,r)i, 2 , (V,/) . , Sc ^ ^ ^ L, 

HSc + {com) ^ ^ ^ ^ ^ ^ 

L+{ADB)y{BDA) 

, (. . ) The soundness of logical and internal structural rules of HSc 

follows by the strongly soundness of Sc w.r.t. L together with Property 10. The 
soundness of (ec) is ensured by Properties 3 and 4, while that of (ew) follows by 
Property 2. For {com) we can argue as follows: Assume X{r,B' A) V 77 G L 
and I{ri,r[ A') V 77 G L. We show that 

(*) x{r, A ^ A) V x{r\ r[ ^ a') v 77 g l 

Indeed, let the notation [£], where S = Si,...Xn, stand for [(£1 D 
(. . . {Xn-i D Sn) ■ ■ .)). We have 

([A] A [£']) D (X(A r' ^ A) D X{r, a ^ A)) and 
([£'] D [aD a {X{r„r[ A') d x(A, a' ^ A')). 
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By Properties 2, 3, 1 and modus ponens follow 
(x(r, r' ^ A) D x(r, a ^ A)) d ((x(r, r' ^ A) \/ h)d (*)) g l and 
^ A') D i{r',r[ ^ A')) d ((i(A,p{ ^ A') v iJ) d (*)) g l 

By Properties 1, 6 and axiom {A D B) \/ {B D A) we get 

mr,r' ^A)vh)d (*)) V ((x(a, A' ^ A') v if) d (*)) g l 

the claim follows by Property 5. 

A , , , , , ) Since Sc (and hence HSc) is complete for L, the claim follows 

by the derivability of the linearity axiom in HSc + (com): 

A^ A B 

(com) 

A^ B \ B ^ A 

2x(D,r) 

=>AdB| ^ B d A 

2x(Vi,r) 

=> (A D B) V (B 3 A) I => (A 3 B) V (B D A) 

(ec) 

=> (A 3 B) V (B 3 A) 

Corollary 2 (Transfer Principle). Sc , , > > , 

, , (3,r),(V,r)y2,(V,0 , _ (3,/) _ , Sc ^ ^ ^ _ 

, - L , HSc+ (com) , , , I - I - I ■ > 

L+(A3B) + (B3 A) 

If Sc contains quantifier rules, this result does not hold anymore. E.g. in LJ 
the rules (3,r), (V, r)*, (V,Z) and {D,1) are derivable. However the calculus 
obtained by adding (com) to the hypersequent version of LJ is ^ ^ sound for 
first-order IL with the linearity axiom. (This logic, introduced by Corsi in [7], 
is semantically characterized by linearly ordered Kripke frames.) Indeed in this 
calculus one can derive the shifting law of universal quantifiers w.r.t. V, i.e., 
(VV) yx{P{x) V Q) 3 {yxP{x) V Q), where x does not occur free in Q. This 
law, that forces the domains of the corresponding Kripke models to be constant, 
is not valid in Corsi’s logic. In fact, HLJ -|- (com) turns out to be sound and 
complete for first-order Godel logic [4] - whose axiomatization is obtained by 
adding (VV) to Corsi’s logic. As the theorem below shows, this is not by chance, 
but follows a general principle (note that (VV) is needed to prove the soundness 
of the hypersequent rule (V, r)). 

Theorem 4. Sc , , , (Li,r), 

(V,r)i,2,(V,0 , . (3,0 ' ' J Sc , , _ 

, - , ■ ^ u L, , , , . HSc-L (com) ^ ^ ^ ^ ^ ^ . A 



L+(AdB)V(BdA)+ (VV) 
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^ ^ ^ ^ ^ ) By Theorem 3 it is enough to prove the soundness of the 

hypersequent rules for quantifiers w.r.t. L. The cases (V, I) and (3,r) are easy. 
For (V, r) we may argue as follows: IfX(G)VX(T A(a)) G L, Vx(X(G)VX(r 
A(x))) G L too. Since a did not occur in X(G) or in T{F d.(a)), we may now 
assume that x does not either. Hence X(G) V Va;X(T ^(a^)) G L + (VV). The 
result follows by Property 8 since VxX(T A{x)) D T{r Va;H(a;)) G L. The 
soundness of (3,1) can be proved in a similar way. 

^ , III) Since the generalization rule is a particular case of (V, r), by 

Theorem 3 it is enough to prove that l”HSc+(com)=^ (V^)- Indeed 



A{a) A{a 


) B^ B 


A{a) => A(o) B A{a) \ 


(com) 

A{a) => 5 B ^ B 


A(o) V B => A(a) 


2x1 

1 Ai^a) y B ^ B 


'ix{A{x) V B) => A(a) 


2x( ,1) 

1 V®(A(x) V B) ^ B 


'ix{A[x) V B) ~ixA{x 


) 1 'ix{A{x) V B) ^ B ' 


'ix{A[x) V B) => \/xA{x) V B 1 


< 

H 

< 

T 

< 

H 

< 

to 



yx{A{x) V B) => yxA{x) V B 
=> Vx(A(a;) V B) D {^xA{x) V B) 



Corollary 3 (Transfer Principle). Sc ^ ^ 

, , (D,r), (V,r)i.2,(V,0 , - 0,1) - .Sc 

, - , ■ ^ L , , , . HSc + (com) ^ ^ ^ ,f 

- 'L + (Bn) + (W) 



5 SMTL: A Case Study 

As an easy corollary of the transfer principle introduced above, we define here 
an analytic calculus for Strict Monoidal T-norm based Logic SMTL. This logic 
was defined in [9] by adding axioms ((A D T) A A) D T and (lin) to FLew 
SMTL turns out to be the logic based on left-continuous t-norms satisfying 
the pseudo-complementation property. To the best of our knowledge no analytic 
calculi have been provided for SMTL so far. 

Proposition!. ScFLgw + (w^c) ^ ^ , - , - FLgw ' 

^ . ((A D T) A A) D T 

II- (' I I -I I I ) ^ ScFLew I{r,A,A ^),((A D T) A A) D T ^ X(r,A ^). 
Hence the claim follows by the strongly soundness of ScFLew w.r.t. FLew ([13]) 
and axiom ((A D T) A A) D T. 

O ■ / , , , ) completeness of ScFLew w.r.t. FLew it is enough to 

check that bscFLew+(u'c) ((A D T) A A) D T. This is straightforward. 
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Corollary 4. : ^ ^ i , , , ■ ScFLgw + (wc) ^ ^ ^ 

(com) ^ ^ ^ SMTL ' 

, , , ScFLew + (wc) is a standard sequent calculus in which the rules 

(D, r), (V, r)i^ 2 , (V, 0 and (D,1) are derivable. Moreover its rules are reductive 

and substitutive. The claim follows by Proposition 1 and Corollary 2. 
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